Author Archives: Jeremiah Grossman

About Jeremiah Grossman

Jeremiah Grossman is the Founder of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Jeremiah has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Jeremiah has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Jeremiah is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, he was an information security officer at Yahoo! Jeremiah can be found on Twitter @jeremiahg.

An idea to help secure U.S. cybersecurity…

… and looking for the right person to show us how to do so.

A few years back I was watching a presentation given by General Keith B. Alexander, who was at the time Commander, U.S. Cyber Command and previously Director of the National Security Agency (NSA). Gen. Alexander’s remarks focused on the cybersecurity climate from his perspective and the impact on U.S. national and economic security. One comment he made caught my attention, specifically that the Department of Defense has 15,000 networks to protect. As an application security person I can only imagine how many total websites, a favorite target among hackers, that equates to. I’d bet very few of DoD’s websites by percentage get professionally assessed for vulnerabilities. Anyway, from this it became clear the General understands big picture cybersecurity problems in terms of scale.

At about 1:05:00 into the video the General opened the floor to questions and the most interesting one came from a Veteran. He said there are a lot of Veterans that would like to help with the country’s cybersecurity efforts, and asked if there were any programs available enabling them to do so. The General answered that he didn’t know for sure, but he didn’t think so. I did some research and according to a Bureau of Labor Statistics report from Sep, 2015, — there are roughly 449,000 unemployed veterans. This was fascinating to me: as I see it, this is a ready-and-willing labor force that perhaps at least a small percentage of which could apply their skills to cybersecurity.

This got me thinking and an idea hit me, but before sharing it, I need to explain a bit how WhiteHat works internally for it to make sense.

WhiteHat assesses websites for vulnerabilities. If customers fix those issues, they are far less likely to get hacked. Simple. What makes WhiteHat different is we’re able to perform these assessments at scale. And, I’m not talking just basic scanning, but true quality assessments with business logic tests carried out by real experts, a strict requirement. The challenge is that AppSec skills are extremely scarce and sought after. Ask any hiring manager. Recognizing the severe skill shortage more than a decade ago, WhiteHat created it’s Threat Research Center — our Web hacker army. TRC is specifically equipped, complete with a training program and unparalleled playground of permission-to-hack websites, to hire eager entry-level talent and turn them into experienced professionals quickly. Age and background of the applicants doesn’t matter. Today, WhiteHat has proven itself to be the best – and only – place for newcomers to get into the industry.

President Obama addressed the nation’s military on September 11, 2015 and mentioned the increasingly challenging state of cyber warfare: “What we’ve seen by both state and non-state actors is the increasing sophistication of hacking, the ability to penetrate systems that we previously thought would be secure. And it is moving fast.” The same website vulnerability issues that we’ve addressed in the private sector are felt in the defense realm.

This is where the idea comes in…

Let’s say the DoD launched a cybersecurity program to assess all of its websites for vulnerabilities. The result would be fewer breaches that are much harder to carry out. To do this the DoD would obviously need a scalable vulnerability scanning technology, but more importantly, the necessary AppSec manpower. This is where WhiteHat would come in as we have all the pieces. Financial issues aside, WhiteHat would be able to conduct all these assessments, continuously, and could do so using veteran labor — exclusively. We have the tech, the hiring process, the training program, pretty close to everything the program would require. All we need is a DoD program to partner up with.

If such a plan and program existed, everyone would win.

  • The DoD would be able to increase their cybersecurity defenses at scale and better protect the nation.
  • A large number of U.S. military veterans could be put to work towards a common cause, protecting the country’s cybersecurity, while acquiring InfoSec skills in the highest demand. Something the President said he wanted to do.
  • WhiteHat continues to grow its Web hacker army. Indeed, we already employ several veterans in the TRC who represent many of our best and brightest.

Of course there are details that need to be addressed, like how the DoD’s website vulnerability data would be safeguarded and the security of WhiteHat’s infrastructure would have to be closely audited (but considering who we already count as customers, I’m confident we’d be able to satisfy any reasonable standard). Or maybe installed onto one of their networks, which is fine too. And then those doing the work, veterans whose backgrounds are already vetted and more trusted than the average “Johnny pen-tester.”

So, the question is … now what?

Over the past 3 years I’ve discussed this idea with dozens of people, both inside and outside the government, and while everyone agrees it’s a good idea, getting traction has been difficult to say the least. Some cybersecurity training programs exist for veterans, but they tend to be either small, dormant, or not something that really protects U.S. cybersecurity.

Referring to emerging cyberthreats in a lecture at Stanford in June 2015, Secretary of Defense Ashton Carter said, “We find the alignment in open partnership, by working together. Indeed, history shows that we’ve succeeded in finding solutions to these kinds of tough questions when our commercial, civil, and government sectors work together as partners.” It would seem that even the highest levels of leadership in the DoD agree that this is the only path forward that makes sense for securing the nation’s digital assets.

At this point, the best path forward is to simply put the idea out there for open discussion, and hopefully the “right person” will see it. Someone in the government who can help us carry it forward and contact us. If you are such a person, or know who is, we welcome the opportunity to talk — leaders within the VA, the DoD, or other parts of government. And hey, if you think the idea is crazy, stupid, or not viable for some reason… I am also interested in hearing why you think so (twitter: @jeremiahg).

The Ad Blocking Wars: Ad Blockers vs. Ad-Tech

More and more people find online ads to be annoying, invasive, dangerous, insulting, distracting, expensive, and just understandable, and have decided to install an ad blocker. In fact, the number of people using ad blockers is skyrocketing. According to PageFair’s 2015 Ad Blocking Report, there are now 198 million active adblock users around the world with a global growth rate of 41% in the last 12 months. Publishers are visibly feeling the pain and fighting back against ad blockers.

Key to the conflict between ads and ad blockers is the Document Object Model, or DOM. Whenever you view a web page, your browser creates a DOM – a model of the page. This is a programmatic representation of the page that lets JavaScript convert static content into something more dynamic. Whatever is in control of the DOM will control what you see – including whether or not you see ads. Ad blockers are designed to prevent the DOM from including advertisements, while the page is designed to display them. This inherent conflict, this fight for control over the DOM, is where the Ad Blockers vs. Ad-Tech war is waged.

A recent high profile example of this conflict is Yahoo Mail’s recent reported attempt to prevent ad-blocking users from accessing their email, which upset a lot of people. This is just one conflict in an inevitable war over who is in control of what you see in your browser DOM – Ad Blockers vs. Ad-Tech (ad networks, advertisers, publishers, etc.).

Robert Hansen and I recently performed a thought experiment to see how this technological escalation plays out, and who eventually wins. I played the part of the Ad Blocker and he played Ad-Tech, each of us responding to the action of the other.

Here is what we came up with…

  1. Ad-Tech: Deliver ads to user’s browser.
  2. User: Decides to install an ad blocker.
  3. Ad Blocker: Creates a black list of fully qualified domain names / URLs that are known to serve ads. Blocks the browser from making connections to those locations.
  4. Ad-Tech: Create new fully qualified domain names / URLs that are not on black lists so their ads are not blocked. (i.e. Fast Flux)
  5. Ad Blocker: Crowd-source black list to keep it up-to-date and continue effectively blocking. Allow certain ‘safe’ ads through (i.e. Acceptable Ads Initiative)
  6. Ad-Tech: Load third-party JavaScript on to the web page, which detect when, and if, ads have been blocked. If ads are blocked, deny the user the content or service they wanted.

** Current stage of the Ad Blocking Wars ***

  1. Ad Blocker: Maintain a black list of fully qualified domain names / URL of where ad blocking detection code is hosted and block the browser from making connections to those locations.
  2. Ad-Tech: Relocate ad or ad blocking detection code to first-party website location. Ad blockers cannot block this code without also blocking the web page the user wanted use. (i.e. sponsored ads, like found on Google SERPs and Facebook)
  3. Ad Blocker: Detect the presence of ads, but not block them. Instead, make the ads invisible (i.e. visibility: hidden;). Do not send tracking cookies back to hosting server to help preserve privacy.
  4. Ad-Tech: Detect when ads are hidden in the DOM. If ads are hidden, deny the user the content or service they wanted.
  5. Ad Blocker: Allow ads to be visible, but move them WAY out of the way where they cannot be seen. Do not send tracking cookies back to hosting server to help preserve privacy.
  6. Ad-Tech: Deliver JavaScript code that detects any unauthorized modification to browser DOM where the ad is to be displayed. If the ad’s DOM is modified, deny the user the content or service they wanted.
  7. Ad Blocker: Detect the presence of first-party ad blocking detection code. Block the browser from loading that code.
  8. Ad-Tech: Move ad blocking detection code to a location that cannot be safely blocked without negatively impact the user experience. (i.e. Amazon AWS).
  9. Ad Blocker: Crawl the DOM looking for ad blocking detection code, on all domains, first and third-party. Remove the JavaScript code or do not let it execute in the browser.
  10. Ad-Tech: Implement minification and polymorphism techniques designed to hinder isolation and removal of ad blocking detection code.
  11. Ad Blocker: Crawl the DOM looking for ad blocking detection code, reverse code obfuscation techniques on all domains, first and third-party. Remove the offending JavaScript code or do not let it execute in the browser.
  12. Ad-Tech: Integrate ad blocking detection code inside of core website JavaScript functionality. If the JavaScript code fails to run, the web page is designed to be unusable.

GAME OVER. Ad-Tech Wins.

The steps above will not necessarily play out exactly in this order as the war escalates. What matters more is how the war always ends. No matter how Robert and I sliced it, Ad-Tech eventually wins. Their control and access over the DOM appears dominant.

If you look at it closely, the Ad-Tech industry behaves quite similarly to the malware industry. The techniques and delivery are consistent. Ad-Tech wants to deliver and execute code users don’t want and they’ll bypass the user’s security controls to do exactly that! So it really should come as no surprise that malware purveyors heavily utilize online advertising channels to infect millions of users. And if this is the way is history plays out, where eventually users and their ad blockers lose, antivirus tools are the only options left – and antivirus is basically a coin flip.

The only recourse left is not technical… the courts.



Saving Systems from SQLi

There is absolutely nothing special about the TalkTalk breach — and that is the problem. If you didn’t already see the news about TalkTalk, a UK-based provider of telephone and broadband services, their customer database was hacked and reportedly 4 million records were pilfered. A major organization’s website is hacked, millions of records containing PII are taken, and the data is held for ransom. Oh, and the alleged perpetrator(s) were teenagers, not professional cyber-criminals. This is the type of story that has been told for years now in every geographic region and industry.

In this particular case, while many important technical details are still coming to light, it appears – according to some reputable media sources – the breach was carried out through SQL Injection (SQLi). SQLi gives a remote attacker the ability to run commands against the backend database, including potentially stealing all the data contained in it. This sounds bad because it is.

Just this year, the Verizon Data Breach Investigations Report, found that SQLi was used in 19 percent of web application attacks. And WhiteHat’s own research reveals that 6 percent of websites tested with Sentinel have at least one SQLi vulnerability exposed. So SQLi is very common, and what’s more, it’s been around a long time. In fact, this Christmas marks its 17th birthday.

The more we learn about incidents like TalkTalk, the more we see that these breaches are preventable. We know how to write code that’s resilient to SQLi. We have several ways to to identify SQLi in vulnerable code. We know multiple methods for fixing SQLi vulnerabilities and defending against incoming attacks. We, the InfoSec industry, know basically everything about SQLi. Yet for some reason the breaches keep happening, the headlines keep appearing, and millions of people continue to have their personal information exposed. The question then becomes: Why? Why, when we know so much about these attacks, do they keep happening?

One answer is that those who are best positioned to solve the problem are not motivated to take care of the issue – or perhaps they are just ignorant of things like SQLi and the danger it presents. Certainly the companies and organizations being attacked this way have a reason to protect themselves, since they lose money whenever an attack occurs. The Verizon report estimates that one million records stolen could cost a company nearly $1.2m. For the TalkTalk hack, with potentially four million records stolen (though some reports are now indicating much lower numbers), there could be nearly $2m in damages.

Imagine, millions of dollars in damages and millions of angry customers based on an issue that could have been found and fixed in mere days – if that. It’s time to get serious about Web security, like really serious, and I’m not just talking about corporations, but InfoSec vendors as well.

Like many other vendors, WhiteHat’s vulnerability scanning service can help customers find vulnerabilities such as SQLi before the bad guys exploit them. This lets companies proactively protect their information, since hacking into a website will be significantly more challenging. But even more importantly, organizations need to know that security vendors truly have their back and that their vendor’s interests are aligned with their own. Sentinel Elite’s security guarantee is designed to do exactly that.

If Sentinel Elite fails to find a vulnerability such as SQLi, and exploitation results in a breach like TalkTalk’s, WhiteHat will not only refund the cost of the service, but also cover up to $500k in financial damages. This means that WhiteHat customers can be confident that WhiteHat shares their commitment to not just detecting vulnerabilities, but actively working to prevent breaches.

Will security guarantees prevent all breaches? Probably not, as perfect security is impossible, but security guarantees will make a HUGE difference in making sure vulnerabilities are remediated. All it takes to stop these breaches from happening is doing the things we already know how to do. Doing the things we already know work. Security guarantees motivate all parties involved to do what’s necessary to prevent breaches like TalkTalk.

WhiteHat Website Security Statistics Report: From Detection to Correction

While web security used to be a reactionary afterthought, it has evolved to become a necessity for organizations that wish to conduct online business safely. Companies have switched from playing defense to playing offense in a game that is still difficult to win. In an effort to change the game, WhiteHat Security has been publishing its Website Security Statistics Report since 2006 in the hope of helping organizations improve web security before they become victim to an attack.

After several editions, this is by far the most data rich, educational, insightful and useful application security report I have ever read. I may be biased, but I believe this report is unique: something special and different that is an essential read for application security professionals. In creating this report, I have learned more about what works and what doesn’t work than I have learned doing anything else in my many years of working in application security. I am extremely confident that our readers will appreciate what we have created for them.

In this year’s report, we examine the activities of real-world application security programs along with the most prevalent vulnerabilities based on data collected from more than 30,000 websites under WhiteHat Sentinel management. From there, we can then determine how many vulnerabilities get fixed, the average time it takes to fix them, and how every application security program can measurably improve. Our research provides insights into how organizations can better determine which security metric to improve upon.

We’ve learned that vulnerabilities are plentiful, that they stay open for weeks or months, and that typically only half get fixed. We have become adept at finding vulnerabilities. The next phase is to improve the remediation process. In order to keep up with the increase in vulnerabilities, we need to make the remediation process faster and easier. The amount of time companies are vulnerable to web attacks is much too long – an average of 193 days from the first notification. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users.

The best way to lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rates is to feed vulnerability results back to development through established bug tracking or mitigation channels. This places application security at the forefront of development and minimizes the need for remediation further down the road. The goal is more secure software, not more security software.

For security to improve, organizations need to set aside the idea of ‘best practices’ and not stop at compliance controls. Multiple parts of the organization must determine which teams should be held accountable for their specific job function. Organizations that don’t hold specific teams accountable have an average remediation rate of 24% versus 33% for companies that do. When you empower those who are also accountable, the organization has a higher likelihood of being effective.

In this year’s edition, the WhiteHat Website Security Statistics Report drives home the point that we now have a very clear understanding of what vulnerabilities are out there. Based on that information, we must create a solid, measurable remediation program to remove those vulnerabilities and increase the safety and security of the web.

To view the full report, click here. I would also invite you to join the conversation on Twitter at #WHStats @whitehatsec.

Introducing Craig Hinkley, WhiteHat Security CEO

As many of you know, I took on the role of “interim” CEO in February 2014, and along with the management team, led WhiteHat through a much needed period of re-strategizing and narrowing our focus onto the needs of our customers. In that time, we made great progress and improved every single metric that matters.

All the while, the Board of Directors and I were diligently searching to find the right person to step in as the permanent CEO. As founder, I may be biased, but WhiteHat is not just another security company. WhiteHat is something special and the work we do, web security, is important to the world. We needed a long-term CEO equal to the task. We needed someone who is passionate about web security and capable of taking WhiteHat to the next level; someone with the right skill set, experience, drive, vision, customer dedication, and most importantly, the ability to execute with us. Every. Single. Day.

At long last, we have found that person. On behalf of everyone here at WhiteHat Security, I am happy to introduce our new CEO, Craig Hinkley. Craig is an accomplished leader and I am confident that he is the right person to build on the foundation and momentum achieved by the WhiteHat team. While Craig’s resume is certainly impressive, it barely begins to do him justice. He’s the type of person who is driven, immediately engaging, and open to new ideas, while inspiring vision and excitement. We look forward to the key leadership he will bring to the WhiteHat team.

Many of you are probably asking, “What does this mean for Jeremiah?” My passion is, and continues to be, Web security, and WhiteHat is the very best place to do that. The vast majority of my day-to-day activity will remain largely unchanged. I will be heavily focused on our technology, product innovation, and strategy. With Craig on board, I’ll be freed up to focus more of my time and attention on those critical details.

Now, please join me in welcoming Craig as he takes the helm as CEO of WhiteHat Security.

View the official press release here.

Hack Yourself First: National and Economic Security

It’s safe to say most countries are investing in their cyber-offense capabilities or will be very soon. Even the smallest countries can wreak havoc on the most powerful with very little money. And while you consider the ramifications of this, here’s a quote to help it sink in.

“National security is no longer about tanks. National security is increasingly about economic well-being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids will be able to enjoy a quality of life vaguely related to our own.” -Ian Bremmer

How can a corporation — even the largest, let alone small businesses and individuals — possibly defend against armies of well-funded nation-state sponsored hackers? These hackers are professionally trained, with no reason to fear our laws, physically distant from their victims, and operate 24 hours a day, 7 days a week, 365 days a year. Remember, the Internet does not recognize or respect geographic borders. The Internet is particularly adept at routing around country-by-country laws and regulations that impeded traffic.

Many people in positions of power have expressed concern about the Internet being brought down. I’m more worried about what happens if the majority of people lose confidence in the system – the security of the Internet – and either stop or limit their use of the Internet. I’m worried about the long-term economic damage this causes, the loss of our ability to innovate, the failure to take advantage of the opportunities that the Internet provides.

New laws against criminal hacking are not going to help. Conventional warfare tactics are not much good either. Governments are largely unable to protect the private sector from international cyber-attack, nor should they be expected to. The perpetrators can be located anywhere, are extremely difficult to identify, prove attribution, and track down, even harder extradite, and even if identified, located, and extradited, difficult to successfully prosecute. And then, if they are found to be spies, the likelihood of them getting traded for our own spies is high – so they go back to what they were doing. Not to mention foreign governments are highly unlikely to turn over their own cyber-warriors. Every CEO in America must understand — in cyber-security you’re on your own.

The reality is that a problem as diverse and wide reaching as cyber-crime cannot be solved by any one thing; but I’ll tell you this — protecting the Internet requires a completely new way of thinking. While our cyber-defense ability is severely lacking, one thing we all clearly know how to do extremely well is cyber-offense.

Offense can inform defense.

I call this approach Hack Yourself First, a concept that is critical to our self-defense. Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses (we call them vulnerabilities) and the good guys who find and fix them. I felt so strongly about this that I built a company, WhiteHat Security, around this idea. At WhiteHat, we get paid by companies doing business online to hack into them and explain how we did so.

In no time flat we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system — all the things that could have made headlines like those you’ve probably seen recently. And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them. Collectively, they constitute billions of end-user accounts. In short, we’re probably already protecting you. Every vulnerability we find and our customers fix is one less hack that happens.

“Hack Yourself First” is also the reason why we teach other people how to hack, hundred and thousands of them. We teach all sorts of ways to hack into banks, retail websites, social networks, government systems, and more. We teach people how this can be done from anywhere across the Internet.

Many wonder why teaching people how to hack is a good thing. I know hacking is often stereotyped as illegal or nefarious activity — but this is not always the case. Teaching people how to hack — building up our cyber-offense skills — is absolutely essential. Only if we have hacking skills can we focus these skills inward at ourselves BEFORE the bad guys do. The idea of “Hack Yourself First” is critical to national security and to ensuring our long-term economic well-being.

Remember, security is optional, but so is survival.

5 Characteristics of a ‘Sophisticated’ Attack

When news breaks about a cyber-attack, often the affected company will [ab]use the word ‘sophisticated’ to describe the attack. Immediately upon hearing the word ‘sophisticated,’ many in the InfoSec community roll their eyes because the characterization is viewed as nothing more than hyperbole. The skepticism stems from a long history of incidents in which breach details show that the attacker gained entry using painfully common, even routine, and ultimately defensible methods (e.g. SQL Injection, brute-force, phishing, password reuse, old and well-known vulnerability, etc).

In cases of spin, the PR team of the breached company uses the word ‘sophisticated’ in an to attempt convey that the company did nothing wrong, that there was nothing they could have done to prevent the breach because the attack was not foreseeable or preventable by traditional means, and that they “take security seriously,” — so please don’t sue, stop shopping, or close your accounts.

One factor that allows this deflection to continue is the lack of a documented consensus across InfoSec of what constitutes a ‘sophisticated’ attack. Clearly, some attacks are actually sophisticated – Stuxnet comes to mind in that regard. Not too long ago I took up the cause and asked my Twitter followers, many tens of thousands largely in the InfoSec community, what they considered to be a ‘sophisticated’ attack. The tweets received were fairly consistent. I distilled the thoughts down to set of attack characteristics and have listed them below.

5 Characteristics of a ‘Sophisticated’ Attack:

  1. The adversary knew specifically what application they were going to attack and collected intelligence about their target.
  2. The adversary used the gathered intelligence to attack specific points in their target, and not just a random system on the network.
  3. The adversary bypassed multiple layers of strong defense mechanisms, which may include intrusion prevention systems, encryption, multi-factor authentication, anti-virus software, air-gapped networks, and on and on.
  4. The adversary chained multiple exploits to achieve their full compromise. A zero-day may have been used during the attack, but this alone does not denote sophistication. There must be some clever or unique technique that was used.
  5. If malware was used in the attack, then it had to be malware that would not have been detectable using up-to-date anti-virus, payload recognition, or other endpoint security software.

While improvements can and will be made here, if an attack exhibits most or all of these characteristics, it can be safely considered ‘sophisticated.’ If it does not display these characteristics and your PR team still [ab]uses the word ‘sophisticated,’ then we reserve the right to roll our eyes and call you out.

What the InfoSec Skills Gap Means for the Future

One of the biggest challenges – if not the biggest challenge – facing information security is the lack of skilled talent. As yet another proof point in a long line of reports all saying the same thing, Cisco’s 2014 Annual Security Report says, “it’s estimated that by 2014, the [IT Security] industry will still be short more than a million security professionals across the globe.” You ask any hiring manager, and they’ll agree. And here’s the thing, we might be able to make a dent in the skill gap with education programs, but by-and-large, the information security skills shortage isn’t going to get solved any time soon.

This says to me…

  1. Breaches will continue at least at the current clip resulting in increased industry and government regulations, which will lead to compliance job openings.
  2. Compensation for competent information security personnel will continue to rise and globalize, regardless of whether the person is experienced or not.
  3. Organizations in the best position to hire, train, and retain security talent will carry the day. Education isn’t going to come in the form of reading or certification, but on the job in a more “trial by fire” way.
  4. Organizations will continue to outsource their security needs to where security talent can be best centralized and scaled.
  5. People with limited background in security will be increasingly tasked with performing security jobs – or at least managing the processes.
  6. Super easy-to-use security products and services will be preferred over the more technically sophisticated and feature rich.
  7. The information security skill shortage is actually going to get worse as the economy improves.

Everyone get busy automating!

6 Reasons Why ‘Security Guarantees’ Are Good For The Security Community

Since Sentinel Elite was announced, we’ve experienced an exciting amount of interest in it’s money-back guarantee and $250,000 financial coverage for damages suffered if a customer is breached via a vulnerability that we should have discovered but missed. Over the last few weeks, the security community has been buzzing with chatter about software liability, cyber-insurance, and security guarantees. There is an opportunity here for the information security industry to up its game. When done right, security guarantees are going to be really good for the security community. Here’s why:

  1. Truly effective security products become easier for customers to differentiate from those that are…less effective. Similar to how we look at the purchase of cars, electronics, and more, some products have better warranties than others, which signals less purchase risk for the buyer and an increase in perceived quality.
  2. The credibility of the security industry, or individual vendor, is improved because we hold ourselves accountable for the performance of our products. Let’s face it. Security vendors don’t always have a great reputation when viewed by those outside the industry. One argument for why this is, is that when our advice or products fail, we’re not on the hook. Many vendors even profit when disaster strikes, yet the victims – our customers – are left cleaning up the mess. By making ourselves accountable in the event of a breach we can turn this perception around and prove that our goals do align with our customers.
  3. We receive performance and actuarial data that can be directly used to increase the effectiveness of our products. The upside on having to pay-out on a failure to live up to a security guarantee is that we get hard data on what really went wrong. This data is helpful because it tells us why the security control didn’t stop the bad guy. This data is pure gold for product development.
  4. It gives us the ability to quantify and convey the value of security products in dollars and cents. Most often business owners really don’t get the value of what it is that a security product does. We speak in esoteric terms about ‘vulnerability,’ ‘risk,’ ‘threat,’ ‘zero-day,’ and so on – very rarely do we speak in business terms or in dollars and cents that the business owner can truly understand. With security guarantees we can give stakeholders – those who pay for our solutions – a way to understand the value we bring to the business in language they understand and can plug into their financial spreadsheets.
  5. The business interests of a security company are in line with the customer and decisions are made accordingly. One of the most frustrating things for a security professional is encountering situations when what a customer really needs to be more secure is not necessarily what is beneficial for the security vendor. Customers want to spend money on products that help them protect against getting hacked. When vendors provide security guarantees, the highest priority is doing exactly that, which creates a true partnership between the vendor and the customer.
  6. Security guarantees enable defense-in-depth strategies to transcend the concept of simply buying multiple security products to protect the business in the event of financial loss. We know security products are not perfect or all-encompassing, so multiple solutions are needed to guard against breach under this eventuality. With a security guarantee, when all is said and done, the customer is still protected in the event that everything fails – which is more common than not these days.

We continue to appreciate the feedback on this topic and are very much interested in what our customers and the rest of the industry has to say about this. What other reasons are there – positive or negative – for having security guarantees? We would welcome your suggestions in the comments below.