How does the infosec community get vendors to use facts and reason
At the Usenix Enigma 2017 conference, the chief technical director of the UK NCSC used words that are very similar to what we've seen repeatedly here on Peerlyst. He called out cybersecurity vendors for using FUD.
He said that they use FUD and criminal hacker steoretyping such a using graphics with hoodies and the usual misconceptions.
(insert small artificial break here to enjoy the lovely cat meme)
This is well-known to have been a problem, although many security vendors do seem to have toned down on the too obviously misleading steoretyping.
He also said that when cybersecurity vendors push "APT" threats, it's really just "“adequate pernicious toe-rags” doing the actual criminal work - and not advanced persistent attackers. Skidz with metasploit abusing SQL-i was mentioned, I believe.
The vendors use marketing terms and misconceptions to boost sales in whichever market they are in, a market often containing "useless next-gen cyber security solutions" according to Daniel Shapira (link).
So the big question becomes:
Is the profitability of cybersecurity vendors more important than openly facing what the real problem is and dealing with it in transparent fashion?
If we could require of cybersecurity vendors to openly state what the problem space is that they're trying to tackle, how they're approaching tackling it technicaly, and what the insufficiencies of their solutions are, would this improve the current state of things?
Sales would probably drop for a lot of big vendors, while the infosec community in general - and especially blue teamers everywhere, would start having a fighting chance at identifying and discerning between lemons a real security solutions.
Requiring vendors to openly state how their own Application Security program is implemented could help as well, perhaps? Then CISOs and other decision makers in purchasing would be able to at least get a chance to evaluate what they're buying:
- Option 2: Has a nondescript statement about a "SDLC" that they've implemented but no details
Which would you choose?
It's often about trust, but verify. When we do not have the option to verify, then trust is not possible. Without trust, there should be no purchasing, but there still is, because CISOs are left without any other option - it's all FUD and security by obscurity. No one knows how anyone works their magic. And if everyone knew, it would no longer be magic and the solution would add no value at all, potentially, instead of a marginal theoretical value.
That brings me to the Bill of contents. I've seen this idea proposed here and there, and if indeed vendors were obliged to document which third party and open source libraries they use in their code, plus which versions they're currently using in which releases, this would also help CISOs make more informed decisions.
So I very much thank the NCSC chief technical director for lambasting the vendor community. We can get better, but only together, and only by being open and transparent about what's what and how it works.