Expert: Beware security products

Security expert Bruce Schneier says users have to be alert when buying products offering protection from attacks, as quality can vary.
Written by Tom Espiner, Contributor

A leading security expert has warned businesses to beware of buying shoddy security products.

Bruce Schneier, founder and chief technical officer of BT Counterpane, issued the warning at the RSA Conference Europe 2007 in London on Tuesday. He told delegates that they should not necessarily trust security vendors to give a fair representation of the security of those products.

"There might be a political bent to security decisions, or there might be a marketing bent," said Schneier. "People selling smart cards [for example] will do a lot to convince us that smart cards are the answer to security problems. For every company that's secure, there's at least one 'me too'."

Schneier said it was difficult for companies to judge the security of varying products, as known attacks are rare and carry a high risk.

"If events are high damage and rare it's difficult to get data. I'm not going to know [the validity of a product] because I don't have the data. After 9/11 there was a huge inquiry into what went wrong, but it's hard to tell what went wrong because it was one event. There's not enough data," said Schneier.

"The [security] market is assymetrical--the seller knows a lot more than the buyer," said Schneier. "In the US a lousy used car is called a lemon--but you don't know until you drive it off the lot that it's a lemon."

If marketed correctly, bad products can drive good products out of the market, Schneier warned.

"Products can have the same claims, the same algorithms, the same buzzwords, and one is very secure while the other is just slapped together. If there's no functional way to test a product, you'll buy the cheaper one," said Schneier.

Schneier said that due to market dynamics, good products tend to rise to the top, but that the market probably couldn't stop the incidence of rare events. He warned businesses not to get "caught up in the feeling of security, driven by fear, rather than the reality".

"Fundamentally we are not rational," said Schneier. "The brain is just barely functioning in the security community. It's still in beta testing. There's weird holes and shortcuts, and all sorts of patches and workarounds."

Businesses should evaluate security products very carefully, said Schneier, and find trusted individuals with expertise who can make security decisions within a company.

Eric Baize, senior director of the product security office of storage company EMC, agreed that there were both good and bad quality security products available.

"The law of statistics is such that in anything there are good and bad quality things," Baize told ZDNet.co.uk. "This applies to wine, food and security products. There has been a lot of discussion about whether security should be added on to the infrastructure, or included as a core feature. Now in the security space companies are selling secure infrastructures," said Baize.

Shannon Kellogg, director of information security policy for security company RSA, said that it was critical to build security into systems from the beginning.

"Building core security functionalities is absolutely critical," Kellogg told ZDNet.co.uk. "Systems in the past didn't have security functionalities, but it enables your company to do more. If your car has brakes it enables you to go faster."

Editorial standards