Product Evaluation Services
Companies often refer to third party products for their information security needs. Such products can be for security of e-mails, messaging, local storage, database security, document security, user authentication, transaction authorization, etc. Unfortunately, there is very little way for a customer to be sure that the product he/she uses is indeed secure enough for the task. Security-related products are written by thousands of people and companies who develop security products with or without having adequate skills, and with or without taking their products through rigorous security assurance procedures.
Little or no guarantee is given for the actual robustness of these products and for their ability to support their claimed level of security. Most vendors do not give any warranty for security incidents involving their product. Moreover, vendors usually do not provide any documentation that allows the customer to establish an educated trust in their product.
This is not with an evil intent. A formal security proof is practically impossible to obtain for most commercial products. It is also infeasible to test for the mitigation of all attacks whatsoever. It is challenging enough to assure that a product correctly supports all of its documented features; it is even harder (if not impossible) to assure that a product does not support any risky unintentional features.
Aside from the security issues that may result from poor design, many flaws occur just because the product designer is not a security professional, or perhaps not even security-conscious. Experience shows that many of the applications that implement cryptographic mechanisms, and that are written by application designers who are not security experts, are shown to be flawed once examined thoroughly. According to a quote by Bruce Schneier, anyone can design a security system that he himself cannot break. This is obviously not enough.
To summarize, following are a few statements that should be considered as facts:
- Security-related products are often insecure, due to poor design by people who are skilled, but not necessarily in security.
- No assurance is given to the customer regarding the robustness of the product. The customer is typically asked to blindly trust its sensitive data to be securely handled by the product, with nothing to base this trust on.
- Security products typically handle data that its exposure or alteration may have serious implications. Otherwise, the security features would not be needed at first place.
- Usually, the product vendor cannot be found liable for damage caused by flaws in its products.
The evident conclusion is that it is practically the customers duty to use any reasonable endeavor to assure that the product it trusts its sensitive data with is worth this trust. This conclusion is the basis of our service.
We examine security products to the light of the data they are (or are going to be) trusted with. This analysis is performed by security professionals who deal with security assurance for a living, day by day.
The extent to which we perform the evaluation is flexible and is mostly a function of the level of assurance required, the level of support we can get from the vendor, and the scope of the project.
We will be glad to address any further query you may have. Please refer to the contact page for contact information.