Thursday, May 28, 2009

WhiteHat's trustmark program as a game changer

I am a trustmark hater, I admit it; this should surprise no one.
I have labored long and hard over this post, but I believe it to be relevant and important.

WhiteHat Security, the genesis of Jeremiah Grossman's vision for web application security, has instituted a trustmark program.

Carefully branded a Security Certification Program, this offering seeks to raise the bar on the trustmark concept, a game changer if you will.
On one hand, this won't be hard to do.
As I have in the past, I could rail against the dime a dozen, pseudo-fraud programs that are nothing but conversion gimmicks designed to drive sales through falsely gained consumer confidence. They can all take their Nessus scanners and bugger off.

Instead, I'd like to describe why I think WhiteHat Security can shed new light and standards on this concept.
1) Reputation: WhiteHat Security has always been a premier brand in the realm of web application security. This is indisputable. Their scanning engine, their business model, their personnel are all geared to the cause; they are expert in this field.
2) Value of the service: I know first hand how much WhiteHat labored over the process of offering a Security Certification Program, i.e. how to do so without falling into the same lameness all the others so readily exhibit. This program is not about conversions first, security second. The certification is only offered to WhiteHat Sentinel customers. While there are no guarantees, if you are Sentinel customer, the statistical likelihood of your exposure to web application security flaws goes down exponentially should you choose to fix the flaws they discover. I know this not due to whitepapers or marketing claims, but from experience.
3) Lack of arrogance or false claims: A trustmark that reads "Website Security by WhiteHat Security" is not claiming to be Hacker Safe, Hacker Proof, or Hacker Free. Clicking the trustmark leads you to the following:
"This site employs WhiteHat Sentinel, WhiteHat Security's industry-leading website security solution. To help address concerns about safeguarding your confidential data from security breaches and hacker attacks, the "Website Security by WhiteHat Security" mark appears only on sites that use the WhiteHat Sentinel Service."
No BS, no hype, no false claims of grandure or impenetrability, just simple facts.
4) Jeremiah Grossman: Jeremiah knows this business better than anyone. As a business man he was driven to consider adding a Security Certification Program by customer demand. Whether we like it or not, customers like trustmarks seals, and benefit from them, no matter how lame a trustmark program may be. Customers using Whitehat Sentinel are paying for the privilege, this is not $250 a year scam with no value other than false confidence. Jeremiah's reputation is inherent to the success of this program. He is well aware of the pitfalls, and I know he has the integrity to ensure its value as a real security-first offering.

I expect WhiteHat Security to manage this program from the perspective of an industry standard-bearer, as their first customer has indicated.
Should the rest of the wannabes and posers in the trustmark game raise their standard to this level, I'd have less to talk about.
Good luck and godspeed, WhiteHat, the industry needs your continued integrity in this space. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)


Rafal Los said...

An admirable venture by WhiteHat. My problem continues to be my eternal skepticism. I know Jeremiah well enough to feel relatively sure that their seal isn't bullsh**; which is a relief - but now I'm on the "wait and see" bus.

White Hat's seal is different then the other crappy "seals" because it actually offers a security service LOGO, whereas the rest of them offer a logo pretending to be a security service. BIG difference.

As they say... proof is in the pudding. I don't like pudding much either... dammit.

Declare.James said...

Looks like Whitehat is focusing on what all "Trust Mark" providers should be doing. Placing Security first, marketing second.
Im under the same opinion of Raf's comment and would like to see how this "Mark" evolves.
Looking at the mark, the only question I have, is are all customers allowed to display the "Trust Mark" at any given time, or is it dependent on how secure their site is. I know that this mark only describes that security auditing is being conducted by WhiteHat, but will it give the false impression to the public that the site is free from vulnerabilities. A common issue that all "Trust Mark" providers have to overcome, including McAfee Secure.

Jeremiah Grossman said...

@Declare.James We gave our program a serious amount of thought for literally years. We explored all options, consulted with a great many outsiders and customers to get their guidance.

I think it's also fair to say that what we're offering is more of a "Trust mark" than "Security mark." We do not want lay claim as to the implied security of a website, or the lack thereof. Doing so is a very slippery slope. If our mark does that it is not our intent and we are open to ideas on how best to clarify its true meaning.

To answer your question, only Sentinel customers may display our mark -- which does not come cheaply as compared to others. Organizations who use the Sentinel Service are those who really care about security and the mark should represent that.

Hope this helps.

Ravi said...

While there is no question that Sentinel is probably the best service in its class, the issue with the "trust mark" is no different that any other seals, infact almost the reverse issue.
Whatever the fine print might say, its an issue of perception. This is being advertised as 'website security seal'. Question is, does a world class web application scanner make the 'website' secure? What about the network vulnerabilities on that site? They will still make the 'site' vulnerable. What about injected malware?
Such a seal would really truely make sense if the site was scanned by Sentinel and Qualys and protected by host based firewall like Third Brigade or someone.
Just like Scan Alert seal created an impression the site was secure when they did only network vulnerability scans, this seal creates the wrong impression in the opposite manner

Anonymous said...

It's marketing just the same, when you place any visual "mark" on a website which is aligned with an organization, corporation, etc.

But if we are talking about marketing, I got to say, "White Hat Was Here" sounds cool and catchy and does not promise anything.

But if my opinion counts for anything, the humble route is classic WHITE OPS. Don't put anything! Don't say hey, "LOOK AT ME" "VALIDATE ME PLEASE!"

Just do the work, bill the customer, and be done with it.

Some of the best mind games against a foe, is to not tell them anything, don't show them anything.

Let them be the fearful one. Let them agonize about why they cannot break in. Don't give me them an inch.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...