An exclusive interview with Security Vibes, Paul Simmonds, Board Member of the Jericho Forum and Global IS Integrated Assurance Director for Astra Zeneca, revealed that the Jericho Forum is soon to release a set of nasty questions to ask security vendors. These nasty questions will enable purchasers of security products to be able to quickly see through the marketing and sales speak of security vendors and help to assess exactly how secure and useful the vendor's products actually are.  According to Paul Simmonds,

"...we've been working for a number of months now on taking the eleven commandments and turning them into a self assessment process that can be used two fold, one by the vendors so the vendor hopefully will self assess their product and as part of a request for quote process will come in and say here's my Jericho Forum self assessment summary of how ready my product is but conversely we're hoping that middle managers and the smaller companies out there who haven't been intimately involved in de-perimiterisation, we're giving them a ready list of nasty questions to ask the vendors as part of their buying process.”

The questionnaire is based on the Jericho Forum's Eleven Commandments for working securely in a de-perimeterised security architecture which many companies have been using as a basis for use with their RFP (Request for Proposal). The questionnaire will have several benefits and impact. In terms of benefits, having a ready made checklist of questions:

• will help companies unfamiliar with de-perimeterisation to know the right questions to ask security vendors
• will ensure compliance with the eleven commandments of secure de-perimeterisation
• will cut through the marketing hype and ensure thoroughness of assessment of a security product from a vendor

The long term impact will be that the strength of security products will be raised and that vendors themselves will use the questionnaire as a checklist to ensure that their own products are secure before launching for general usage.

Paul Simmonds gave us an example of one of the nasty questions to ask and how to rate the vendor's product based on one of the eleven commandments which essentially says that

Devices and applications must communicate using open, inherently secure protocols (the security solutions for the Jericho architecture for de-perimeterisation have to be based on open standards and protocols that are widely accepted). For example you should be using SFTP for security instead of FTP

The example question for a GOOD rating says out of the box are you using only secure protocols?

The example questions for an EXCELLENT rating says out of the box are you using secure protocols plus are they documented and if you give the option to downgrade the security have you fully documented the pros and cons for downgrading the security.

As Paul Simmonds said in the interview, “Hopefully it will sort out the cowboys from the vendors with genuine product”.

-  The list will be freely available some time towards the end of May/June from the Jericho Forum site.

- Click here to view the full interview at Security Vibes