Episode 86: Episode 194 - Evaluating Security Product Vendors

The Southern Fried Security Podcast

Content provided by Andy Willingham, Martin Fisher, Steve Ragan, Joseph Sokoly, and Yvette Johnson. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Andy Willingham, Martin Fisher, Steve Ragan, Joseph Sokoly, and Yvette Johnson or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

7+ y ago 24:46

MP3•Episode home

Archived series ("Inactive feed" status)

When? This feed was archived on October 02, 2020 00:10 (4y ago). Last successful fetch was on July 03, 2019 15:18 (5y ago)

Why? Inactive feed status. Our servers were unable to retrieve a valid podcast feed for a sustained period.

What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.

Evaluating Security Product Vendors

In light of recent news about “Vendors Behaving Badly” we want to talk about how a security professional should evaluate vendors and their products.

Recent News:

Tanium exposed hospital’s IT while using its network in sales demos: https://arstechnica.com/security/2017/04/security-vendor-uses-hospitals-network-for-unauthorized-sales-demos/

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance: https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/

There are so many different sources of information about vendors and their products. You owe it to yourself to evaluate not just the vendor but also each source of information.
1. Analyst Firms: Gartner/Forrester/etc
2. 1. Always remember they take a very generic view using a notional enterprise as the standard.
  2. Current customer interviews are important but, remember, those customer contacts likely came from the vendor.
  3. The perception of “Pay for Play” is there no matter how much the firms want to squelch that.
  1. These tests presume a lot so make sure you understand what the conditions of the test were.
  2. The “Pay for Play” perception exists here too….
  3. The results of the testing aren’t specific but can help show outliers in a group
3. 3rd Party Testing: NSS Labs, etc.
  1. Obviously your best and most relevant source of information. :-)
4. Podcasts
  1. If you have developed a reliable network of peers you can reach out and ask folks. But, remember, buy them a beer for their troubles…
  2. Always remember perspective is everything. Some people just don’t like Company_Z and will always hate their products.
5. Networking
Information Sources
1. Start with 3rd party data and demos. This will determine if your requirements (you did write out your requirements, right?) are met by the product
  1. Do not allow the vendor to drive the definition of “success” in a PoC
  2. Try to break it. I mean REALLY try to break it.
  3. Remember during the PoC is going to be the best support and interaction you will ever get. If that sucks you might want to move along.
  4. Test all of your use cases. (you do have documented use cases, right?)
2. Do a PoC (Proof of Concept).
Product Evaluation Rules
1. Service providers such as penetration testers and MSSPs
Edge Cases

105 episodes

#Security #Software Development #Culture #Information #Interviews #Leadership #Southern #Andy Willingham #Joseph Sokoly #Martin Fisher #Tech #IT Management