Shostack + Friends Blog Archive


Trial By Fire

Tom Ptacek and Jeremy Rauch are offering a course on analyzing products, taking them from black boxes to open books. Cool! From the ad:

This class offers a behind-the-scenes tour of the product evaluation process. Renowned security experts Jeremy Rauch and Thomas Ptacek offer a crash course on the most important aspects of validating – or debunking – security product claims. We’ll show how to run a black-box test of a network security product, and provide an insiders view on how security products are designed – and marketed – to survive product bakeoffs.

From Tom’s blog post, “Shameless Commerce Division:”

The network security space alone represents over two billion dollars per year in revenue. In large enterprises, a single major deal can score a vendor over a million dollars. If you think vendors aren’t employing absolutely every weapon in their arsenal to get their gear deployed, you’re being naive.

A younger, dumber Thomas Ptacek would have railed against the vendors for this. (Maybe even gotten a bit vindictive). But an older, wiser Thomas Ptacek (shut up, anybody from Arbor) has begun to accept that maybe there’s nothing wrong with vendors being aggressive. Gag.

Maybe the problem is how hopelessly outgunned buyers and evaluators are. There’s no Consumer Reports (or better yet, Cooks Illustrated ) for security products. Those publications don’t take advertising, and spend their money on test labs (or kitchens).

I’m excited about this class. Thomas gets how to break products, and his thinking about the origin of the problem matches mine. So, hey, Tom, can I trade you some shameless marketing quote for a seat in the room?

Much like Yoda entering a room, Thomas can wave his hands contemptuously and the Imperial guards will fall lifeless to the floor. Learn how they approach new products. Secrets you won’t learn from the Sith.