Security spending is an interesting thing. I’m fashionated about how companies time after time throw large amounts of dollars in their security buckets, but considers it final when physically implemented. Buy a firewall for a 50k, have a rookie administrating it. Gunnar Peterson puts it right when he says

in many cases, they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000.

You might wonder if companies are interested in results. If so, how do they get them? I would do it by collecting and reviewing metrics. I’ve recently read a book on the subject which I intend to discuss in a future post.

I was just notified of multiple vulnerabilities in Check Point Secure Platform R60 . This is in no way surprising since all software have vulnerabilities, but the interesting thing is that the product is certified to Common Criteria Assurance level 4+ (EAL4+). This suits as a good example of why Common Critera and similar certifications mean squat in terms of security.

I do like one thing of the Common Critiera, and that is their choice of using the word “assurance” for describing the certification. We should treat any security investments as “an increased assurance of our resistance to security incidents”. The problem with CC is that a certified product in no way assures me that it functions as it promises (an IPS with zero-day protection is a good example, since those doesn’t exist) or that it is without flaws. The above mentioned vulnerabilities proves that.