Certifications of products and staff - a bad thing?
There is an ongoing debate everywere, and has been for years, about certifications, standards and regulations - in both IT/IS Security staff, related processes and procedures, management and of course security products. They are suposed to aid us in separating the wheat from the shafts - security experts from the network administrators, good software developing practices from bad, and not to say the least, good security management practices from bad.
However, I think we in generally put alot of effort in to making complex problems easy. And I think certifications is such a case. In the worst cases, I think certifications might make people, processes and companies lazy when it comes to security. Why? Because they contribute to the feeling of beeing “enough”, altough they might not be. Lets look at some examples:
What is a security expert and a professional? Many of us agree that calling ourselves experts and proffesionals might be a bad thing. We would much rather have someone else call us that, right? Here is where security certifications come in handy, because they label us as professionals and experts (like CISSP, Cerfified Information Security Proffesional), if we only pass some small tests. Most people agree that these certification tests are unrealistic, easy and doesn’t mirror the real world. So, how much expertise does actually such an expert posess? Due to the relative easy of getting such a certification, it is a short route to being aknowledge as a expert.
Similarily, what is a secure product? Common Critera and their product certifications claims to answer to that question, by evaluating products to the specificiations of “a secure product”. However, the level of detail in these specifications are low, they (can) assume unrealistic environments for the product to be placed in and as the name implies, it is all to “common”, and can be applied to all sorts of products. As with personal certifications, product certifications can be a short route to be called and considered secure. Allthough a Common Critera certification process is exhaustive and expensive, it might keep vendors from focusing on the real flaws - and once the certification is in their hand, they might consider their security efforts to be “good enough”. Which might not be the case.
In the real world, there is no guarantee that a CISSP-certified person has the level of expertise required for a security job. Similarily, a common critera certified product doesn’t mean that it won’t have flaws. In my opinion, efforts, results and experience constitutes expertise, and the security of a product isn’t conserned with facts such as “number of vulnerabilities” or “number of zero day expoits”, but how these issues, such as flaws and vulnerabilities are handled.