One of the important differentiators in the INFOSEC market is certifications. Certification don’t, in themselves, make software better - they just remove risk by forcing independent review of products and technologies.

 We all know, now-a-days, with tainted milk from China and poisoned pet food how important it is to have some controls in between you and lowest cost manufactures. A number of security solutions have gone this way, with very little separation between the people creating the solutions to protect us and the people that we want to be protected from.

  Call it Globalization, call it out sourcing, call me crazy but just as we are combating botnets and espionage from China a great number of people are having their security application written their on the cheap. The wonderful thing about Standards like The Federal Information Processing Standards (FIPS) or Common Criteria (CC) or even NSA Code reviews is that someone is ‘Watching the Watchmen’ (’quis custodiet ipsos custodes’ for you Watchmen Fanatics).

  You would not believe the number of ’security’ companies that don’t keep up their certifications even companies that are supposed ‘industry leaders’. Their FIPS is lapsed, they have no Common Criteria - or it’s a joke of one (make sure you look at the evaluation level and protection profile).

 SO net net — CAVEAT EMPTOR , there area number of people out there that would like nothing more then to sell you not so protective protection. Check their certifications yourself on [1] www.nist.goc/cmvp (FIPS Cryptography certification) and [2] www.commoncriteriaportal.org (for Common Criteria). Take note that you can click on their certification and see exactly what they are claiming they do (in FIPS it’s called security Policy in Common Criteria it’s called Protection Profile) - you will find for yourself that it’s often a complete joke.

  The more everyone learns about security, the faster vendors can be ordered to make secure software. Perhaps someday it will be CAVEAT  VENDITOR - let the Vendor beware - and companies will produce secure and independently verified software that truly delivers protection.