Tuesday, October 07, 2008

The McAfee Secure Standard: Sort Of

I need your help.
I am in receipt of the McAfee Secure Standard, drafted to transparently describe the McAfee Secure service, as promised during my meeting with Joe Pierini and Kirk Lawrence of McAfee some weeks ago. I admit my attitude has soured since last I discussed it here, as the Standard is not yet ready for public release (I last said 2-3 weeks and that was five weeks ago), but bear with me. I can't publish exact quotes from the Standard, as I've promised not to, but let me give you insight on the upside, then the downside.

The upside includes all the transparency we'd hoped for. You'll read the McAfee Secure Standard and know exactly where they stand with regard as to what can be expected of the McAfee Secure Service. My discussions with Joe Pierini have been productive and respectful; he means well, and I believe he will try to drive the greater McAfee leadership to officially incorporate suggestions made in this blog.
I have even had the pleasure of reading a Researcher/Finder Policy that very succinctly describes what researchers can expect when they submit vulnerabilities found in McAfee Secure sites. That's all good stuff and to be applauded.

Now for the downside.

The McAfee Secure Standard will draw a clear distinction between "enterprise" customers and all the Ma & Pa websites who have so loved McAfee Secure / ScanAlert Hacker Safe for conversions.
The most glaring and painful distinction for me is this. While enterprise customers will have a clearly defined time line in which to remediate script injection vulnerabilities like XSS and open redirects, before losing their McAfee Secure badge, the Ma & Pa sites will have absolutely no requirement to fix their XSS issues. XSS vulnerabilities and the McAfee Secure badge will remain consistent on all those sites that care more about "convincing" their customers that they're secure with a McAfee Secure badge; a badge that, by its own pending standard, will contradict what we know to be truly secure.

My views are clear. I have made every effort to convince McAfee that this stance is counter intuitive to good web application security standards. I believe that, in their own way, they are listening. So here's your chance.
1) Is transparency enough?
2) Is holding only enterprise customers accountable acceptable?
3) Should ALL McAfee Secure customers be expected to fix their vulnerabilities, even if on different timelines?
4) What else do you want McAfee to hear, in the form of constructive feedback only?
I will publish all well written, thoughtful comments here. Let's keep it positive and see if we can help convince McAfee that script injection vulnerabilities and McAfee Secure can't exist in the same physical space. Like matter and anti-matter. ;-)
The floor is yours...

del.icio.us | digg | Submit to Slashdot

7 comments:

mckt said...

Let me see if I understand this correctly:

- Despite having different standards, 'Enterprise' and 'Ma and Pa' sites will have the same badge on them.
- A user familiar with the published standards will still have no reasonable expectation of security even on a badged site.
- Even the enterprise ("More-secure") customers will keep their badge after vulnerabilities are found- for a period of time, at least.

It is pretty clear that the McAfee Secure badge has absolutely no value to an informed consumer, and even more clear that McAfee has no intention of making it so. That is the one aspect of the service that I can see having some potential use. I expect that the 'McAfee Secure' certification will not do much good for conversions once enough people realize this.

Maybe a new brand- "McAfee Sucker" is in order?

BC said...

If I were an enterprise customer paying for additional support and services I would want that distinction made clear versus those who do not.

From a consumer / security perspective transparency is best. I want to be able to trust that the 'McAfee Secure' badge actually indicates what it is supposed to mean, that the site is secure and safe from security defects. Today it means absolutely nothing and will continue to mean nothing until some distinction is made between those that actually have to fix their site and those who do not.

Unfortunately the customer still blindly accepts that McAfee has the consumer’s best interest at heart, although within the security community McAfee has been taking hits to their reputation. (Case in point, one of this year’s Pwnie award given to McAfee.)

As with the current sub-prime mortgage crisis it is only a matter of time before the negative reputation they are now building affects their pocket books.

After all, a security focused company without trust or integrity isn't much of a security company at all.

Rafal said...

@mckt - Russ asked for constructive... although sadly I am with you on your point...

@Russ - Seriously, I re-read this a few times and can't come up with a non-negative response. I've even tried to see this from the business-side of things. But in the end transparency isn't enough because it won't be posted with the logo "This site is McAfee Secure - but probably has security issues we won't be fixing" - I can't imaging that badge changing to something like that quote.

Whether you're at an enterprise, or a Ma & Pa shop, your customers deserve to be treated with honestly and truth - so to lie to them and claim to be "McAfee Secure" which is what this amounts to - is crap and should be punishable by law under the "deceptive practices" umbrella. In fact, I would be willing to say that if I came across a company I wanted to buy something from that had the logo (enterprise or not) that I had credible intelligence that the site was "Hacker-friendly"... I would file a class-action suit. This crap has got to stop. It's giving our industry a bad name.

It's clear the goal is to make a buck, not be secure - which is sad. It's also clear that PCI has no teeth, which is more sad. In light of that, I think this whole argument is moot.

I'm sorry Russ, I really tried to be constructive.

Anne Henmi, CISSP said...

Hi Russ,

I'm going to answer your questions directly. I am also going to make this clear that I'm a former employee of McAfee, and I do not say this in revenge, and it is only constructive criticism.

1) Is transparency enough?

No. If they are going to have two different products, they need to be classified as such, and the logos need to be different.

2) Is holding only enterprise customers accountable acceptable?

No. If someone sees a "McAfee Secure" logo on a Ma and Pa site, and attackers are smart enough to know the difference, then they open themselves up for an attack. McAfee is not doing its due diligence.

3) Should ALL McAfee Secure customers be expected to fix their vulnerabilities, even if on different timelines?

Yes. I'm not sure I would do this on different timelines though. Technically, it's the same product because the same logo will appear on different customer sites.

4) What else do you want McAfee to hear, in the form of constructive feedback only?

Honesty in what vulnerabilities they are testing. I could not in good conscience recommend it to anyone because they are not being honest with their customers.

People have a hard time securing their sites, and this would leave ma and pa sites very much open to attacks because the attackers will know the same thing the site owners do: McAfee's policy.

As a CISSP, we adhere to a code of ethics. McAfee's policy would violate them, especially the last one:

* Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
* Promote generally accepted information security current best practices and standards;
* Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
* Discharge professional responsibilities with diligence and honesty;
* Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and
* Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers.

cudweeds said...

Waht ever happened to integrity in business. A word and a handshake meant everything, because if you became known as a liar or cheat, no one would do business with you.

I guess integrity is such a rare thing that no one expects it any more - to a point where even a major security company doesn't have to worry about their reputation. Must be nice to be that rich...

Ken said...

So, as an owner and operator of a "Ma&PA" commerce site, I paid for ScanAlert/McAfee for a little over a year. Each time a vulnerability was raised, I had to spend a huge amount of time either changing my site structure or begging my host provider to upgrade, patch or modify my server. As far a getting my site PCI certified I was never successful and gave up, since my 3rd party payment service is PCI certified. In the end I finally canceled my subscription to McAfee. (I have seen no measurable reduction in site usage or orders, by the way).

But I did like to have a 3rd party review my site for common security issues, such as XSS, SQL Injections etc, -- What are my options now? Are there other tools or services more cost effective?

Simon said...

Perhaps I'm coming in at the wrong point of the wrong discussion, but...

While the standard is important, there is another element her that isn't mentioned: SiteAdvisor.

I'm sure you all already know this, but even if you sign up for MacAfee Secure and do what you're supposed to (i.e. fix vulnerabilities, remove dodgy software, etc.), Site Advisor can tag you red...and once you're tagged you are completely hosed for as much as six weeks.

This speaks to the integrity of the program, I think, which is why I raise the issue. Conceptually, as a McAfee Secure customer, one is spending money to ask them to find vulnerabilties - so one can protect one's customers. But then another arm of the same company tages your site red, and your customers ask what are you going to do about it...my answer would be to sign up for a service that helps one avoid this like...oh, hang on...oh, McAfee Secure doesn't get it done.

Speaking with Secure recently, I reiterated that we pay them to protect our customers; that I'm personally OK with them removing the badge fairly quickly - so long as the remediation and re-scan period is equally short. Seems to me that the value of the whole blasted thing is being able to protect one's customers.

Anyone else run into this? If so, what are your thoughts/recommendations for getting out of Site Advisor Purgatory?