RSA: Security industry flooded with snake-oil

Experts have called for the IT security industry to improve its products and adopt universal testing metrics so that buyers can get a clear idea of what works and what doesn't.

Paul Kocher, inventor of the third version of SSL, said that the security industry lacks oversight, and that some products simply do not work as advertised.

Too many people are making money by selling a product and then charging to fix its initial failings, which is not a desirable business model.

"We need to have regulation or liability; at the moment we have neither," he said. "Some products are snake-oil. I suspect this will be decided by the lawyers."

Kocher pointed to the aviation industry as an example of best practice, where a full investigation is held after every crash. Flaws are analysed and design changes enforced among airlines and aircraft manufacturers to avoid the problem in the future.

Sal Stolfo, professor of computer science at Columbia University, complained that there is no agreed standard of testing to inform buyers.

"The industry needs to invest in testing to get rid of the snake-oil. There's a hodge-podge of metrics, but most of them are on how good malware is," he said.

"There are some cost metrics for intrusion protection systems, but it's not a science yet and it's underdeveloped."

Security expert Hugh Thompson agreed that there are too many poor products out there, although he pointed out that there are some reasonable metrics for cryptography.