| Certify Security? |
| Al Potter | |
| Premier Services Labs Manager | |
| ICSA Labs | |
| apotter@icsalabs.com, PGP Key ID: 0x58C95451 |
| "Why 3d Party Security Assurance" |
| Why 3d Party Security Assurance? | |
| What ÐIS- Certification? | |
| WhatÕs Missing? | |
| The Premier Services Approach |
| Why 3d Party Assurance? |
| Vendor: ÒTrust me, itÕs secure.Ó | |
| Customer: ÒOK!Ó (Doh!) | |
| or ÒYeah, RightÉ.Ó | |
| or ÒSecure? Whassat?Ó | |
| Reagan: ÒTrust, but VerifyÉ.Ó |
| (Generic) Certification |
| A performance standard is set. | |
| Test Methods are established. | |
| Product is evaluated, producing evidence. | |
| Evidence is presented; a decision is made as to whether the evidence supports the conclusion that the product meets the standard. | |
| If it does, Somebody issues a Certificate. |
| Certification, ContÕd |
| This is ÒEvidence BasedÓ Security AssessmentÉ.. |
| WhatÕs Missing? |
| ÒCertificationÓ is (supposed to be) Objective, Black and White. | ||
| This doesnÕt fit a lot of todayÕs security problems: | ||
| Spam | ||
| Spyware | ||
| Anything where vendor reaction time is an issue. | ||
| The ÒSnapshotÓ Problem | ||
| Premier Services |
| Certify what we can | |
| Evaluate the rest | |
| Compare where possible | |
| In the end, you have more assurance than beforeÉÉ | |