Home page logo

pen-test logo Penetration Testing mailing list archives

Re: My Frustrations
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Fri, 19 Dec 2008 12:55:08 -0800

Hi Joseph.

Le vendredi 19 décembre 2008 à 01:58 -0500, Joseph McCray a écrit :
The customer isn't a security expert, and often can't differentiate
between you and someone that's not as technical as you.

That's the fundamental issue I see. Problem is, this customer is not
able to tell if what you tell him, trying to demonstrate your
experience, makes more sense than other guys statements.

Just let me paraphrase the comment I left on Adriel's blog. Basically,
there is a situation in economics referred as "information asymmetry"[1]
that fully applies to security market. The most quoted paper related to
this is "The Market for Lemons"[2] from George Akerlof. I am not an
economist at all, but I think this makes a lot of sense to explain the
security market situation, although it does not give answers.

This paper describes the information asymmetry consequences for
second-hand car market, where you can find crappy cars (lemons) and good
ones (cherries). Basically, the asymmetry comes from the fact that
sellers know which cars are lemons and cherries. But most buyers,
although they know there are lemons and cherries, can't tell the
difference between the two. This paper has been discussed a lot, but
basically,  you face a situation where buyers have very few choices. One
of them, and actually the most common one apparently, is to adopt a safe
posture consisting in buying cheaper to get the most value, posture we
can roughly translate into limiting the impact of getting screwed. As a
result, the whole market is pulled down by lemons as cherries will not
sell, to a point it can collapse, which means for instance buyers will
exit the market and go for brand new cars.

Now, let's get back to our security market. We are talking of security
practitioners, but we could have the exact same reasoning for products
(I will get back to them later). So we have skilled practitioners and
unskilled ones. Both of them are trying to convince customers they are
the best pick, and as customers can't tell the difference between the
two, they tend to adopt the posture of the lesser cost. Because unlike
car buyers, they don't really have an alternate market to exit to: they
need security, and for some of them, they have to deploy some thanks to
regulations. Therefore, the wide range of skill level we can find on
this market, from to highly skilled and experience people to blatant
newbies, tends to pull the whole market down, with best practitioners
whether leaving the market or lower down their services quality to match
the market price, at best fighting hard to make their living.

Now, what can we do answer that situation ? Obviously, it is a question
of information. Customers must be given the right signals so they can
better understand the difference between practitioners and what they
propose. They need a non compressible amount of credible information
that allows them to tell the difference between a skilled guy and a
newbie, or between an automated vulnerability assessment and a
penetration test, as an example.
Now comes the question of knowing who can deliver these signals. Can we
do this as practitioners ? As stated below, our voice often has no more
weight than the bullshit we can find around for our customers.
Independent entities ? Sure, but which ones ? Certifications ? they sure
have a role to play, but they have limits we all know... Basically I
don't have any good answer outside trying to educate the best we can,
for what is worth.

But I think the most interesting field is actually the product market,
where we face the exact same situation, maybe even worse actually. If I
give the average customer two products, say antiviruses, from two
different vendors, one being crap and the other good, will he be able to
tell the difference ? Or just answer this very basic question: what does
make a good antivirus ? Not mentioning that "good" also depends on his
environment and therefore can have different meanings for different
people. And if one is costing more than the other, what do you think he
will do ?
The "funny" thing there being law is actually increasing the asymmetry,
because in many countries, you are not allowed to dig into the product
for the sake of security. I do not specifically mean looking for
vulnerabilities (all products have vulnerabilities), but have a rather
precise idea of how products are working, their overall quality and
security. Like if the guys developing them know what they do or not,
Therefore, you end up in a situation where nonetheless customers are not
informed, but people who actually have the skills to perform that type
of analysis are restricted in what they can do and say, unless they feel
brave enough to spent the next 10 years in courts, challenging current

Well, that's my 0,02EUR of thinking for the day ;)

|1] http://en.wikipedia.org/wiki/Information_asymmetry
[2] http://en.wikipedia.org/wiki/The_Market_for_Lemons

PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]