I am a trustmark hater, I admit it; this should surprise no one.
I have labored long and hard over this post, but I believe it to be relevant and important.
WhiteHat Security, the genesis of Jeremiah Grossman's vision for web application security, has instituted a trustmark program.
Carefully branded a Security Certification Program, this offering seeks to raise the bar on the trustmark concept, a game changer if you will.
On one hand, this won't be hard to do.
As I have in the past, I could rail against the dime a dozen, pseudo-fraud programs that are nothing but conversion gimmicks designed to drive sales through falsely gained consumer confidence. They can all take their Nessus scanners and bugger off.
Instead, I'd like to describe why I think WhiteHat Security can shed new light and standards on this concept.
1) Reputation: WhiteHat Security has always been a premier brand in the realm of web application security. This is indisputable. Their scanning engine, their business model, their personnel are all geared to the cause; they are expert in this field.
2) Value of the service: I know first hand how much WhiteHat labored over the process of offering a Security Certification Program, i.e. how to do so without falling into the same lameness all the others so readily exhibit. This program is not about conversions first, security second. The certification is only offered to WhiteHat Sentinel customers. While there are no guarantees, if you are Sentinel customer, the statistical likelihood of your exposure to web application security flaws goes down exponentially should you choose to fix the flaws they discover. I know this not due to whitepapers or marketing claims, but from experience.
3) Lack of arrogance or false claims: A trustmark that reads "Website Security by WhiteHat Security" is not claiming to be Hacker Safe, Hacker Proof, or Hacker Free. Clicking the trustmark leads you to the following:
"This site employs WhiteHat Sentinel, WhiteHat Security's industry-leading website security solution. To help address concerns about safeguarding your confidential data from security breaches and hacker attacks, the "Website Security by WhiteHat Security" mark appears only on sites that use the WhiteHat Sentinel Service."
No BS, no hype, no false claims of grandure or impenetrability, just simple facts.
4) Jeremiah Grossman: Jeremiah knows this business better than anyone. As a business man he was driven to consider adding a Security Certification Program by customer demand. Whether we like it or not, customers like trustmarks seals, and benefit from them, no matter how lame a trustmark program may be. Customers using Whitehat Sentinel are paying for the privilege, this is not $250 a year scam with no value other than false confidence. Jeremiah's reputation is inherent to the success of this program. He is well aware of the pitfalls, and I know he has the integrity to ensure its value as a real security-first offering.
I expect WhiteHat Security to manage this program from the perspective of an industry standard-bearer, as their first customer has indicated.
Should the rest of the wannabes and posers in the trustmark game raise their standard to this level, I'd have less to talk about.
Good luck and godspeed, WhiteHat, the industry needs your continued integrity in this space.
del.icio.us | digg | Submit to Slashdot
Please support the Open Security Foundation (OSVDB)