securitymetrics.com, when security is misleading

A vendor today sent me their “PCI certificate.” Turns out this was just a site scan for their external mail server. This is a Google result of what their site certificate looks like (this is just a random Google search result, not my vendor): site certificate.

That’s pretty damn misleading. But then again, so is the entire SecurityMetrics.com website. Check out their steps to PCI compliance. Yes, that says 25 minutes to PCI compliance.

If you have desktops that fall under PCI scope, you can buy and run a scan from their website. Oh shit, someone should tell Steve Gibson to rebrand his ShieldsUp! service.

To at least give the benefit of the doubt, there are some hints that this company actually knows how to do PCI compliance, but the vast majority of their site leads customers down the path of thinking PCI is cheap and easy and takes very little time and only requires making up answers on a self-assessment questionnaire and an external vulnerability scan.

This is really the kind of low-bid crap that causes real security to be elusive.

2 thoughts on “securitymetrics.com, when security is misleading

  1. No excuse but still: Security is like sex. A little is better than nothing at all. Is such a certificate valuable, or is any certification at all? When is certification a marketing scam and when does it hold value? Hey, if the former is a form of social engineering, then who could you value the latter? Would you trust them? 😉

  2. I wouldn’t trust them, no. Then again, how correct should someone be before they are trusted? A naive SMB may trust securitymetrics.com, but a more knowledgable security gal may not at all. Then again, Ligatt falls into this bucket, yeah? 🙂
    I wanted to get an analogy, but didn’t have a better one than being required to go take your car into some shop of your choosing to get a safety inspection before you can drive it on the road. If you actually care about your safety, you’ll go to someone with a good rep, who understands car safety, and would be themselves vetted in their industry. If you just want to get past the requirement, you go to the cheapest shop in town that barely checks anything, signs a paper, and you’re done.
    I just don’t like when someone then claims their car is safe for road driving, when in fact they may not. In my case, claiming they are secure because they bought some very crappy scan from a “scam” company, which I then have to trust by proxy in order to do business with them. And I certainly am not going to require of them myself that they spend big bucks to get a “real” scan…
    Such is that security world right now. 🙂

Comments are closed.