This year marks my 10th year attending the RSA conference.  While the conference (and the security industry) has grown significantly in that time, the marketing conversation from the vendors has not.

Since I’m on the people and process side of things, it annoys me to no end when I see vendors proclaiming some of the nonsense that they do.  One of my hobbies has become talking to the vendors to see just how thick they are shoveling the BS (Apparently I am a glutton for punishment).  The old adage of course applies: if it sounds too good to be true, then it probably is.

With that said, here are the top 5 things I do NOT want to hear on the RSA Expo floor this year.

#5) We’ve secured the cloud. First of all, we haven’t even defined the cloud. It typically means outsourcing some part of your system to somebody else’s infrastructure, but what that actually means varies tremendously once you get down into the details.  If you can’t define it, you probably can’t secure it either.  The reality is way too complex to make such blanket statements.

#4) Advanced Persistent Threat. Ever since the recent google hack, this term has been thrown around quite a bit.  The so-called “Advanced Persistent Threat” is something that has always been there, and probably always will – the sophisticated attacker on the inside.  If somebody tells you they have a solution that is guaranteed to deter the sophisticated, targeted inside attack, run away as quickly as possible.  You can mitigate this problem, but you will never completely prevent it.

#3) “We’ve solved the application security problem.” I actually had a vendor say this to me with a straight face last year.  Let’s be clear. No you haven’t.  Case in point: one of my colleagues, a professional penetration tester, told me a story about a test they did where an application firewall was in place.  The firewall was thwarting all of their attacks for the first day, so on day two the team shifted their focus to the application firewall.  After they succeeded in killing it, the tests ran smoothly from there on out.  Once again, the reality is way too complex for blanket statements.

#2) Our product is secure because it’s never been broken. Is that really your criteria for security?  That’s like saying “I know there’s no life on other planets because I haven’t personally seen any yet.”  How about “we make our product as secure as possible by incorporating secure development practices into our lifecycle, and we hire reputable third parties to thoroughly penetration test our product?”  That would be a good start.  Pro tip: the reason your product hasn’t been broken is most likely because the right person hasn’t looked at it yet.  ALL applications have bugs!

#1) Nothing can get past our [Firewall/Anti-virus/IDS/IPS/Wizbang new security product]. Repeat after me: There is no silver bullet and there is NO SUCH THING as 100% security!  It’s OK!  No one actually expects you to be perfectly secure. It’s all about what you do AFTER you’ve been hacked that matters.  Misinforming your customers by saying that your product is 100% secure makes you look silly and ultimately puts your customers at greater risk.  I would much rather have no security at all than a FALSE sense of security.

As a reminder to all the RSA Expo vendors, we have created a special limited edition t-shirt for you to wear on the Expo floor:

Stop by booth #2058 to pick up your t-shirt while they last!