So why are there so many bad, nonsecure and just plain broken security products on the market? Should we depend on the unseen hand of the free market to allow the better products to bubble up to the top? Bruce Schneier’s recent column in Wired magazine shows that better products doen’t necessarily mean more secure products. Consumers would rather have an easy to use product instead of a secure product, in other words they want the dancing bears and chocolate. So products that have lots of blinking lights will win out in a free market over those that actually work. As Bruce mentions what is needed is some sort of label to let consumers know just how secure a product or service is. Sorta like the SPF rating on sunscreen, this way people can pick the level of security they need for thier environment. Bruce wrote about this before back in 2001 but the idea is much older than that. I first heard about such an organization that would rigoursly test and rate the security of products from Tan at the L0pht. He wrote and published a white paper waaay back in January of 1999 calling for a Cyber UL to test and rate security products.
So here it is over eight years later from that first call to action. Eight years. And we still have products like Secustick being released and used by the French Intelligence agency. Obviously there is a need for such an organization, where is it? Why hasn’t it been created yet?