Certify Security? |
Al Potter | |
Premier Services Labs Manager | |
ICSA Labs | |
apotter@icsalabs.com, PGP Key ID: 0x58C95451 |
"Why 3d Party Security Assurance" |
Why 3d Party Security Assurance? | |
What ÐIS- Certification? | |
WhatÕs Missing? | |
The Premier Services Approach |
Why 3d Party Assurance? |
Vendor: ÒTrust me, itÕs secure.Ó | |
Customer: ÒOK!Ó (Doh!) | |
or ÒYeah, RightÉ.Ó | |
or ÒSecure? Whassat?Ó | |
Reagan: ÒTrust, but VerifyÉ.Ó |
(Generic) Certification |
A performance standard is set. | |
Test Methods are established. | |
Product is evaluated, producing evidence. | |
Evidence is presented; a decision is made as to whether the evidence supports the conclusion that the product meets the standard. | |
If it does, Somebody issues a Certificate. |
Certification, ContÕd |
This is ÒEvidence BasedÓ Security AssessmentÉ.. |
WhatÕs Missing? |
ÒCertificationÓ is (supposed to be) Objective, Black and White. | ||
This doesnÕt fit a lot of todayÕs security problems: | ||
Spam | ||
Spyware | ||
Anything where vendor reaction time is an issue. | ||
The ÒSnapshotÓ Problem | ||
Premier Services |
Certify what we can | |
Evaluate the rest | |
Compare where possible | |
In the end, you have more assurance than beforeÉÉ | |