{"id":163,"date":"2017-05-09T13:07:20","date_gmt":"2017-05-09T13:07:20","guid":{"rendered":"http:\/\/securitycurve.com\/?p=163"},"modified":"2017-05-09T13:07:20","modified_gmt":"2017-05-09T13:07:20","slug":"vaporware-worse-than-you-think","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=163","title":{"rendered":"Vaporware: worse than you think"},"content":{"rendered":"<p><a href=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/05\/vapor-ware-sales-reality-vapor-ware-vaporware-demotivational-poster-1272272502.jpg\"><img decoding=\"async\" class=\"size-medium wp-image-164 alignright lazyload\" data-src=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/05\/vapor-ware-sales-reality-vapor-ware-vaporware-demotivational-poster-1272272502-300x270.jpg\" alt=\"\" width=\"300\" height=\"270\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 300px; --smush-placeholder-aspect-ratio: 300\/270;\" \/><\/a>Everybody has some experience with vaporware, right? \u00a0That thing that you buy that you think is going to solve all your problems and then turns out to not really do much of anything.<\/p>\n<p>In the security world, this is now &#8211; and has been for years &#8211; a major problem. \u00a0For example, I once recall being in a shop that purchased a web scanning tool (one that was given a 5 star review from a respected trade publication that I won&#8217;t name). I recall also the chilling moment of realization when I discovered (only after hours of RT&#8217;ing the FM) that it didn&#8217;t support SSL connections. \u00a0Like, at all (this was before TLS). \u00a0As a result it was therefore unusable for my purposes &#8211; which at the time involved scanning exclusively SSL web sites. \u00a0Did the sales guy say anything about SSL being a &#8220;dealbreaker&#8221;? \u00a0No. \u00a0Did the review in the trade rag? \u00a0Also, no. \u00a0I was pretty upset about it at the time (still am now decades later.)<\/p>\n<p>Well it turns out that there&#8217;s a <a href=\"http:\/\/www.cso.com.au\/article\/618803\/pitfalls-cybersecurity-shopping-hype-shoddy-products\/\">pretty good article<\/a> over at CSO that talks about exactly this problem. \u00a0The tl;dr is that it turns out (surprise surprise) that the security of organizations is undermined by vaporware. \u00a0The article does a great job of laying this aspect of the problem out: namely, that vaporware serves to undermine the security of organizations &#8211; and in fact the security industry more generally. \u00a0Organizations are less safe because they&#8217;re investing in &#8211; and deriving a false sense of security from &#8211; these products that don&#8217;t live up to the marketing hype. \u00a0Moreover, confidence in the industry overall is reduced as a result. However, the problem is actually bigger than even this article lets on. \u00a0There are a few other ancillary problems that occur as a result.<\/p>\n<p>First, vaporware and marketing hype contributes to &#8220;shelfware&#8221; &#8211; meaning,\u00a0you buy something thinking it&#8217;s going to be useful for some purpose. \u00a0It isn&#8217;t, so you don&#8217;t use it. \u00a0Now, I&#8217;ve covered this quite a bit over the years, but shelfware is tremendously problematic: not just because you&#8217;re paying for something valueless (which is already pretty bad) but also because it looks terrible in hindsight. \u00a0For example, what will the &#8220;armchair quarterback&#8221; (an investigator, regulator, the public, or a court) have to say &#8211; in the cold light of hindsight &#8211; if you didn&#8217;t detect a network attack while having an IDS system sitting unused on the shelf? \u00a0Not good, right? \u00a0In fact, a strong argument could be made about why that&#8217;s negligent. \u00a0Is it really negligent? \u00a0In this situation, I don&#8217;t think so&#8230; \u00a0But if you&#8217;re having to prove that in a court of law or public opinion, you&#8217;ve already lost.<\/p>\n<p>Second, it contributes to buyer confusion. \u00a0Now, I&#8217;ve researched a lot of security products in my time (and I mean a lot a lot) &#8211; and I can tell you that figuring out what these products actually do can be really hard as it is. \u00a0The marketing language is often so thick that trying to figure out what the product actually does can be an hours-long research exercise. \u00a0That is time not well spent &#8211; particularly when many of the features listed apply to an as-yet released version or describe some hypothetical best-case scenario that requires months of integration effort to realize. \u00a0How can you make an intelligent, fact-based decision based on your unique requirements when every product out there slices bread and also solves world hunger? \u00a0You can&#8217;t.<\/p>\n<p>The point is, this situation persists only so long as we allow it to. \u00a0What do we do about it? \u00a0There&#8217;s controlling the situation before it starts. \u00a0A good starting point for that is to always &#8220;kick the tires&#8221; on some new product acquisition before rushing headlong into a purchase. \u00a0Actually, as a general rule, I try very hard not to buy security products unless I can test them first (exceptions made for products that I&#8217;ve used before in other environments.) \u00a0Does that sound like super basic advice? \u00a0Maybe. \u00a0So why aren&#8217;t people doing it? \u00a0There&#8217;s also the cracking down on the marketing hype &#8211; and our tolerance of it as consumers. \u00a0If you can&#8217;t find out what the product does from the website (like, at a basic level), how much of your time are you willing to invest to get the answer? \u00a0Likewise, how much credence are you going to give their sales folks when they explain to you what the spin means?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Everybody has some experience with vaporware, right? \u00a0That thing that you buy that you think is going to solve all your problems and then turns out to not really do much of anything. In the security world, this is now &#8211; and has been for years &#8211; a major problem. \u00a0For example, I once recall [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[123,125],"class_list":["post-163","post","type-post","status-publish","format-standard","hentry","category-security","tag-vaporware","tag-vendors"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=163"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}