Monday 9 April 2012

Security Tool's vendor "No need for Doctors" Analogy

I was trying to explain to friend (from another industry) why the Application Security tools don't really work (in 99% of cases) and I had to build the O2 Platform (to make them work).

After a while I finally hit on an analogy that make perfect sense (and was easily understood).

Definition: By 'Application Security Tools' I mean a vendor that is selling a tool (or SaaS hosted solution) designed to help with a particular problem-area in the Application Security lifecycle. For example Blackbox and Whitebox tools (Pentesting and Code Analysis)

A Medical Analogy

For this analogy:
  • Application Security Tool = Medical Tool
  • Vulnerable Code = Heart Attack

What is happening is that we have companies, creating/selling Medical Tools to detect Heart Attack problems, with the expectation that Specialized Doctors will NOT be needed to operate those products.

And here is they logic behind this:

  • The key problem is that 'Doctors don't scale'!
  • .... image if we have to build Hospitals in every city and put expensive Doctors inside of it to operate this products!
  • ...that will never scale!
  • ...what we need is a product with ONE button that is simple to use 
  • ... that is the only way it will scale
  • ... then we will be able to detect/fix millions of hearts
Of course that in the real-world, the medical products created by these companies, don't really work (in 99% of cases) and since its customization capabilities are very low, the adoption rate of these products is very low.

There are four other facts that make it even worse:
  • The number of 'Heart Doctors' that work for the tool vendor is very low, and have very little power in deciding what features are added to the next versions
  • The developers and product managers for these 'heart' products have very little medical knowledge and don't even use their product to check their own hearts
  • Independent 'Specialized Heart-Consulting companies' are viewed as a market to sell to and are usually asked to pay full price (which is wrong, since these are the channel to the real-market, not the market)
  • The buying clients still have not realized what is going on, and started demanding (and paying) for tools that actually work (regardless of what is needed to get them to work)

Back to Application Security

I hope the analogy here is clear.

How many tools today are designed to be used by Application Security professionals? (just look at what the best security professionals use)

Yes we still need the 'One button' style tools, but first we need our tools/saas-services to work and to be customizable.

And it is this customizations that will create those 'one-button' solutions.

It's only you that wants this Dinis....

If there is one reply that really gets on my nerve when I talk about this to the Tool vendors, is when they say:
  • ... well only you want to customize our engine/rules that way ...
  • ... that market doesn't exist, there are not enough users out there for those customization features...
Yap, I'm sure Steve Jobs heard a lot of people saying that ... there is no market for a phone like the one you want to build... (even Ballmer Laugh at the iPhone )