Monday, June 8, 2009

Has WHS jumped the shark?

Does the "WhiteHat Website Security Certification Program" demonstrate that WHS has jumped the proverbial shark?

25% or more of WHS's customers demanded a logo program of this nature, says Jeremiah Grossman, CTO of WHS. Customer demand is not something to ignore lightly.

By the same token, website logo programs of this nature have a dubious past, at best.

Take McAfee's "Hack Safe" program as an obvious example. The level of negative press that the "Hacker Safe" program has generated to date is outstanding.

McAfee 'Hacker Safe' cert sheds more cred. Rubber stamp factory exposed

More bad news for McAfee, HackerSafe certification

Hackersafe? Not so much.

Russ McGee had a very interesting blog post that was favorable to WHS's new website cert program. In the comment section, Jeremiah states:

I think it's also fair to say that what we're offering is more of a "Trust mark" than "Security mark." We do not want lay claim as to the implied security of a website, or the lack thereof. Doing so is a very slippery slope. If our mark does that it is not our intent and we are open to ideas on how best to clarify its true meaning.

To answer your question, only Sentinel customers may display our mark -- which does not come cheaply as compared to others. Organizations who use the Sentinel Service are those who really care about security and the mark should represent that.

and states:

The “website security by WhiteHat Security” mark allows Sentinel subscribers to assure their site visitors that the WhiteHat Sentinel Services is being actively deployed to safeguard confidential data from security breaches and hacker attacks

Jeremiah was faced with a rather difficult choice : upset his customer, or upset some in the security community.

But I must call this a "security fail" for for time being.

a) This cert is not claiming that the website is secure
b) This cert claims that Whitehat Security is the web security service provider, only
c) This cert is consumer based; it's meant for the consumer not the security pro
d) A security-ignorant consumer (the masses) will incorrectly conclude that the website IS secure based on seeing the WHS certification logo, even thou WHS is not making that claim

We need more in-depth verification and more process, not less. Projects like the OWASP Application Security Verification Standard meets that challenge head-on.

PS: So in a few years, when we have a "Aspect Assured" logo, please give me a hard time. :)

No comments: