Vaporware: worse than you think


Everybody has some experience with vaporware, right?  That thing that you buy that you think is going to solve all your problems and then turns out to not really do much of anything.

In the security world, this is now – and has been for years – a major problem.  For example, I once recall being in a shop that purchased a web scanning tool (one that was given a 5 star review from a respected trade publication that I won’t name). I recall also the chilling moment of realization when I discovered (only after hours of RT’ing the FM) that it didn’t support SSL connections.  Like, at all (this was before TLS).  As a result it was therefore unusable for my purposes – which at the time involved scanning exclusively SSL web sites.  Did the sales guy say anything about SSL being a “dealbreaker”?  No.  Did the review in the trade rag?  Also, no.  I was pretty upset about it at the time (still am now decades later.)

Well it turns out that there’s a pretty good article over at CSO that talks about exactly this problem.  The tl;dr is that it turns out (surprise surprise) that the security of organizations is undermined by vaporware.  The article does a great job of laying this aspect of the problem out: namely, that vaporware serves to undermine the security of organizations – and in fact the security industry more generally.  Organizations are less safe because they’re investing in – and deriving a false sense of security from – these products that don’t live up to the marketing hype.  Moreover, confidence in the industry overall is reduced as a result. However, the problem is actually bigger than even this article lets on.  There are a few other ancillary problems that occur as a result.

First, vaporware and marketing hype contributes to “shelfware” – meaning, you buy something thinking it’s going to be useful for some purpose.  It isn’t, so you don’t use it.  Now, I’ve covered this quite a bit over the years, but shelfware is tremendously problematic: not just because you’re paying for something valueless (which is already pretty bad) but also because it looks terrible in hindsight.  For example, what will the “armchair quarterback” (an investigator, regulator, the public, or a court) have to say – in the cold light of hindsight – if you didn’t detect a network attack while having an IDS system sitting unused on the shelf?  Not good, right?  In fact, a strong argument could be made about why that’s negligent.  Is it really negligent?  In this situation, I don’t think so…  But if you’re having to prove that in a court of law or public opinion, you’ve already lost.

Second, it contributes to buyer confusion.  Now, I’ve researched a lot of security products in my time (and I mean a lot a lot) – and I can tell you that figuring out what these products actually do can be really hard as it is.  The marketing language is often so thick that trying to figure out what the product actually does can be an hours-long research exercise.  That is time not well spent – particularly when many of the features listed apply to an as-yet released version or describe some hypothetical best-case scenario that requires months of integration effort to realize.  How can you make an intelligent, fact-based decision based on your unique requirements when every product out there slices bread and also solves world hunger?  You can’t.

The point is, this situation persists only so long as we allow it to.  What do we do about it?  There’s controlling the situation before it starts.  A good starting point for that is to always “kick the tires” on some new product acquisition before rushing headlong into a purchase.  Actually, as a general rule, I try very hard not to buy security products unless I can test them first (exceptions made for products that I’ve used before in other environments.)  Does that sound like super basic advice?  Maybe.  So why aren’t people doing it?  There’s also the cracking down on the marketing hype – and our tolerance of it as consumers.  If you can’t find out what the product does from the website (like, at a basic level), how much of your time are you willing to invest to get the answer?  Likewise, how much credence are you going to give their sales folks when they explain to you what the spin means?