When security vendors fail: Three strikes and you’re out

News headlines for security vendors and their customers have been pretty rotten of late. The RSA brand’s reputation is particularly muddy since it announced hackers had penetrated RSA servers and stole information related to the company’s SecurID two-factor authentication products.

There’s also the recent, sad saga of HBGary and more than one headline about Kaspersky Lab being targeted over the last couple years.

The latest piece of bad news concerns McAfee and comes by way of my colleague over at Network World, Julie Bort. She writes:

The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security/hacking mailing list.

In addition to cross-site scripting, YGN discovered numerous information disclosure holes with the site including seeing an internal hostname and finding 18 source code disclosures. The portion of the site that could be used for XC scripting attack hosts some of McAfee’s files for downloading software, YGN says on its Full Disclosure post.

This isn’t just embarrassing, but also somewhat discrediting for McAfee, which markets a McAfee Secure service to enterprises for their customer-facing websites. McAfee Secure scans a website daily for “thousands of hacker vulnerabilities,” the company advertises. If the site is found to “be certified” to McAfee’s “high standard of security,” then users of McAfee anti-malware products see a “McAfee Secure” label in their browsers. McAfee Secure claims to test for personal information access, links to dangerous sites, phishing, and other embedded malicious dangers that a website might unknowingly be hosting.one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

When these things happen I watch as the Twittersphere comes ablaze with scathing condemnation of the compromised vendor.

You can’t blame people for being this way. We put an enormous amount of trust in the vendors to protect our enterprises. Vendors employ PR agencies to pound us with publicity about how they can solve all our security problems and give us a peaceful night’s sleep.

When your business is security, the community is going to be a lot less forgiving when an attacker exposes your weaknesses. That’s never going to change, nor should it.

The folks at RSA may consider this unfair. They are after all victims. The bad guys hurt them. But if they’re feeling sorry for themselves, they need to suck it up.

When your customers are put in harm’s way, that’s preeminently the time to beat yourself up. Then, hopefully, you come clean, be honest about what happened and give a clear demonstration of how you’re going to keep it from happening again.

It is fair in the end, since vendors get a lot of PR mileage out of the security breaches that happen elsewhere.

At the same time, these vendors deserve a chance to set things right.

We’ve seen plenty of cases where a company that was breached or found in violation of various regulatory requirements bounced back with much stronger security programs. I think RSA and McAfee can bounce back, and they deserve our forgiveness — as long as they’re brutally honest about where things stand and they give us clear examples about what they’re doing to fix the problems.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

That said, I also believe in the three strikes and you’re out model.

Everyone should get a chance to correct the problems that allowed a first breach. If there’s a second breach, a second chance is warranted when the company is honest and seeks help from the wider security community.

If it happens a third time, then maybe they need to be out of the game.

–Bill Brenner