Do security companies really care about security.

MitechniqMitechniq Member Posts: 286 ■■■■□□□□□□
I wanted to discuss a point of frustration I have had in the last couple of months. Part of my job is to evaluate new security technologies for my company. I won't mention names but do these companies really care about security. Let me give you some examples:

One company offers a vulnerability scanner, but their password file is unencrypted in the database, they do not allow you to change the self-signed cert in the application and their streams to communicate with end devices still uses SSLv3.

Another company offers a compliance and regulatory checker, it is an ova with a Linux server as the OS. When I asked how do I update and patch the server, the company consultant had no clue. So you make sure all my OTHER servers are compliant, but your server could potentially be the way a hacker gets into my environment.

Finally, I had to register my information to one company which asked for some personal information including my social, but their webpage is HTTP. Huh, you cannot afford 40-100 dollars for an SSL cert and your supposedly a Security Company.


I compare this to a director who is an atheist but loved making Christian based movies because of the potential profit.

Comments

  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    First rule of security vendors... do not talk about the security of their product!
    Second rule of security vendors... do not talk about the security of their product!
    ...
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • E Double UE Double U Member Posts: 2,233 ■■■■■■■■■■
    Do companies only care about money? Yes, yes they do!
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Maybe they have a bug bounty program you can take advantage of. If so, don your white hat and do a proof of concept hack in your lab, and make some side money while providing a valuable service.

    Or, you could just tell them their platform has security vulnerabilities and for that reason their bid has been eliminated from consideration. Vote with your wallet as they say.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I think now a days if you want a company to acknowledge your concerns post it on their Facebook and Twitter page. It seems companies jump on concerns ASAP when it's brought up on their public online presence.
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    I've always heard people say "Barbers have the worst haircuts and a mechanic's car are always broken" maybe the same saying should apply to security vendors.
  • Matt2Matt2 Member Posts: 97 ■■□□□□□□□□
    I know of a hosting provider which provides service offerings to take most of the load off their customers to be compliant for various industry standards and regulations. And yet, the systems they maintain and monitor clearly should fail audits based on configuration alone. And it's not possible to truly "trust but verify" the work they are doing. Well you are supposed to trust without verifying enough of it.

    I have little faith in any company, they have to prove themselves to me before I accept they are as secure as they claim.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Of course they don't. Any company cares about money (i.e. business) first and everything else is an afterthought. Apparently their business goes well so far even without these security controls. Why would they care to implement them?

    Actually recently I hosted a security meetup where I proved with numbers that Target Corp didn't care about information security and hackers and still doesn't care about it. Moreover, it is a right decision from a purely business standpoint as they didn't lose their own money to hackers, their damages are collateral only and they save much more each year from outsourcing to India, underbudgeting and understaffing than all their damages combined because of the breach.
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Valid frustration.

    I've seen so many products developed in horrible ways. Just be happy that you have the gift to be able to find those nuances. There are many scenarios where the company lacked that person in their architect role when developing the product.
    My blog http://www.calegp.com

    You may learn something!
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    Care?? companies don't 'care' or feel, they're out to generate revenue. They will do the minimum to get the most revenue.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • fuz1onfuz1on Member Posts: 961 ■■■■□□□□□□
    Companies only care about their ROI. icon_silent.gif
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
  • Params7Params7 Member Posts: 254
    Generally, its the hackers which tend to be more passionate about technology, and finding new breakthroughs while employees doing it for the paycheck are mostly playing catchup.
  • SaSkillerSaSkiller Member Posts: 337 ■■■□□□□□□□
    The issue is a difference between departments. Sales staff will straight lie about the capabilities of a product or overstate it to make a sale.
    Dev staff are subject to the same requirements as other companies, get a product ready for release.

    Now usually there is a corps of individuals within the company who do care about security, but their power is relatively limited.

    In the end, doing things the right way doesn't bring the company money and it isn't easy.
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    We use a solution called OWPWAT, they combine many different engines together to scan each file. There a website below you can try.

    https://www.metascan-online.com/#!/scan-file

    Anyway, if you scan a file, you'll see the anti-virus definitions are over 789 days outdated. You would think they would be more proactive in keeping there scanning engines up to date. While they do keep the engines updated for the service we pay for, it doesn't present a good first impression when your free services are not.
    Params7 wrote: »
    Generally, its the hackers which tend to be more passionate about technology, and finding new breakthroughs while employees doing it for the paycheck are mostly playing catchup.

    Well to be fair hackers can make 100k from one breach, there's a lot of financial incentive to be passionate about technology. While some employees are well paid, generally they are not earning the kind of return on investment hackers can with there skills.
    Still searching for the corner in a round room.
  • scaredoftestsscaredoftests Mod Posts: 2,780 Mod
    only when they get hit, badly.
    Never let your fear decide your fate....
  • jeremywatts2005jeremywatts2005 Member Posts: 347 ■■■■□□□□□□
    A company I worked for in the past provided a one hour external pen test. Enough said about companies caring about security. It was just enough in some cases to pass and companies took advantage of it. What can your really test in one hour of a network that you have no idea about. You just start running random attacks as quick as you can and doing NMAP scans.
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    What are you talking about? One hour is more than enough to test port 80 and tick that "Independent penetration test completed" checkbox icon_smile.gif
  • zxshockaxzzxshockaxz Member Posts: 108
    cyberguypr wrote: »
    What are you talking about? One hour is more than enough to test port 80 and tick that "Independent penetration test completed" checkbox icon_smile.gif
    I could not help but laugh at this. lol

    OP, I have made this same observation. I hate/have to agree with everyone else when they say that companies care about money first.
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    A 1 hour Pen Test... are photos developed as well?
    Seriously, I think that it would be a start and better than nothing at all. Some IT managers are very cheap and don't really have an understanding, until they lose their job because of it.

    As a MSP, we really try to provide layers of defense and it really comes down to pride. Sometimes the tools are their but the execution is done poorly for a myriad of reasons.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    A company I worked for in the past provided a one hour external pen test.

    I'm curious, who did they get to agree to do a one hour pen test? I wouldn't think any reputable Pen tester would agree to perform it. There no money in it and if/when the company get hacked, do they really want there names associated with this "penetration" test. Like the company wouldn't hesitate to say that we thought we were secure, ABC security consults did the pen test, it's there fault we got hacked.
    Still searching for the corner in a round room.
Sign In or Register to comment.