Monday, June 29, 2009

Two Pounds of Crap in a One Pound Box.

When I was 16 years old, my Dad decided he wanted to purchase a Ford Mustang 5.0. It was his first new car purchase since the 1967 Mustang he bought after high school. I of course insisted he get the GT with all the options. I drove to the dealer with him and watched as he haggled with the salesman. Having worked in the automobile sales and service industry for 20 years, he knew what he wanted and seemed to know what it should cost. The dealer offered him option packages and upgrades which my father promptly turned down. When I asked why, he said that the sports package and power windows were not going to make a muscle car perform better and it was just something that would break. As a result he purchased a stripped down LX that was several thousand dollars less expensive than the GT and was .3 seconds faster from 0-60 mph. He had the car for almost 15 years before a tractor trailer took it out.

I recently, realized how much that experience affected me. It’s been over 20 years since that visit to the dealership and I just realized how deeply the idea of simplicity has steered my decisions with technology. In my previous post entitled the The Risk of Complexity I wrote about the difficulties of securing complex technologies and mentioned the importance of the fundamentals of security. I wanted to expand on that thought here and outline some simple things that one should look for when evaluating technology solutions. Some fundamental features every solution should include are; reliability, detailed logging, ease of systems administration, complete and accessible documentation, and a proven support history. It is important to research the software provider’s track record on addressing functional bugs and security flaws.

It seems absurd, but many solution providers offering advanced technologies and features seem to fail terribly at basic functionality and stability. To summarize, it does not matter how sexy a security solution is if it fails open, crashes, or has unaddressed bugs in it. Moreover, if descriptive logs and documentation are not available and you cannot obtain an intelligent response from product support on an issue, then you have put the data you are assigned to protect at risk.

I recently had a conversation with the sales executive of a security solution on issues I have experienced with their product. His purposed solution was to purchase the new model with the extended warranty (also known as an upgrade with premium support). When I asked why I needed premium support to report an unpatched remote code execution vulnerability in a supported version, he attempted to sell me another solution his company offers.

So I wanted to offer this suggestion to those test driving solutions: The next time you are evaluating a product, ask some of questions regarding the aforementioned matters. Kick the tires and listen to the sound the door makes when you slam it. Test drive the product and make sure the suspension system is tight at high speeds. If Hyped Solution Inc. keeps pushing the limited edition report package or pie chart upgrade, then it may be time to drive up the street and find another dealer.

I would like to thank @Beaker for a recent tweet about his rental car and the recent blog post by @Jack_Daniel for jolting this memory out of my subconscious. Both individuals have remarkable ideas that they openly share with the security community and I fully recommend following their work.

No comments:

Post a Comment