Vendor Self-Assessment—The Good, The Bad, and the Ugly
A vendor self–assessment of the security of his IT products is in general a good idea – if it is done right. Generally vendors always do some kind fo self–assessment of their products for many aspects and security is (if at all) just one of them. The problem is that security often may conflict with other requirements like time-to-market, performance, cost, and ‘fanciness’. In this dilemma security is quite often viewed as less important and security problems known to the developers are ignored with the argument: we can fix this later when we have time (which quite often means – never).
The presentation will present the benefits of a ‘good’ vendor self–assessment, potential problems, and historical cases where this went wrong – with disastrous results. The presentation will also present how a vendor self–assessment (done right) can speed up third-party assessments and thereby help to overcome problems with some of today’s third party security evaluation schemes.