Security Product Corewars: When Robots Attack
A: A slew of recently-launched “security analyzer” products — boxes designed to break just about anything on the network (including other security devices) by being the worst, most aggressive TCP/IP conversationalists imaginable.
In an industry wholly pre-occupied with “speeds-n-feeds” (doing stupid things faster with more energy), attack signatures (security bean-counting), compliance reports (security for accountants), and intrusion prevention (give that monkey a gun), BeStorm (SecuriTeam), BreakingPoint Systems (ex-TippingPoint + Metasploit founder), and MuSecurity (ex-OneSecure + other Metasploit founder!) are betting on buyers actually paying to evaluate the products they buy based on, well, robust security (as opposed to the location of the Ethernet ports, rack-mount measurements, or color of das blinkenlights).
Whether the market is really ready for this, or for the mountain of 0-day vulns these guys are sitting on, is another question.
Many years ago, Arbor paid @stake to beat the crap out of our products. We were happy to have their seal of approval, but even happier to have had their best minds set against ours, looking for anything we’d missed in securing our system from the ground up. How many other organizations actually do this, I won’t venture to guess — but at the time, @stake was just about the only game in town, compared to the many NIAP/Common Criteria consultants and test labs available for bureaucratic accreditation.
Independent security evaluation is still a cottage industry left largely to magazine reviewers, test labs (now promoting their own certifications), and a few dogged purists, driven by some of the best “meat computers” in the business. The breadth of permuted attacks from an automated security analyzer would seem to nicely complement the depth of analysis provided by a competent security researcher — but will end-users actually pay for it themselves? Or will we see security analyzers quickly rolled up into existing network testing gear?
Merit badges versus technical merit – how do you evaluate your security purchases?