Over-Engineered Security Products, Symptoms and Signs
Ever open the console of a security product and find yourself lost in a maze of features and settings that are business line-specific or completely out of place? If you answered yes, then you're not alone.
The security sector is tightening, and along with it, the revenue available to spread to all remaining players. It's no secret that when looking to gain a competitive edge, a company's moves are not necessarily in your best interest. The results of these moves can result in poor quality products, over-engineered solutions and a much higher cost of ownership to you.
The Pressure to Deliver
Because some companies are fighting for every penny in attempts to maintain a foothold in the sector, they are more likely to honor feature requests from larger customers or potential large customers. As you would guess, this is driven by the expectation that the large customer will buy more products if their requirements are baked into the product.
The problem here is that what's good for that large customer they're courting may be useless, or worse yet, harmful to you. In recent days I have personally witnessed several vendors bolt on feature sets that clearly were added for their biggest buyers.
On the surface you may ask, "What's wrong with giving the customer what they want?" The problem arises when you are forced to upgrade to these new builds that are completely different animals than what you had originally purchased.
For example, a well-known vendor that built a solid name on their SSL products bolted on features that 90% of the existing client base would never use. This was done to serve the needs of a specific and specialized technology business sector. Along with the wealth of new features came complicated configurations, more bugs, longer learning curves and less intuitive interfaces.
In the end, when these products are forced on you because of support lifespan of builds, you're the one footing the bill for downtime, misconfiguration, training, support and worse of all, security breaches.
Quality Assurance? Hardly
Another part of the business process that is altered in the pursuit of profit is the quality assurance cycle. Incredibly, business managers are now willing to risk damage to their brand name in order to achieve lofty sales figures, grab a higher percentage of the market or land a giant account.
The mechanics of this are simple. Shorter QA cycles mean that the product hits the market faster with the hope that the product is positioned for maximum profit. This also lends developers more time to shoehorn more features. This of course snowballs over to the marketing people who are charged to come up with more ways to pitch the product.
Agreeing to speak under anonymity, a QA specialist for a security software company told me, "We have much less time to run through our test scripts. Mathematics eventually proves what we already know. If you need 45 days to run through a full test cycle and you're only given 7 then obviously certain tests are not going to be performed."
He goes on to say, "We have actually pushed the QA burden out to the customer in the form of more aggressive beta testing programs. We rely on them to catch things that we know won't be checked on our end."
Know The Signs
All is not lost if you know what to look for. Many times the signs are there if you stop to look for them.
The first thing to look for is a company that is struggling in the sector. These companies will be more likely to cut QA cycles or to bend to a feature request from a potential or existing large customer.
Read and understand SLAs and EULAs. Many times when you see that a company will only support a build or two beyond what is current, you can bet that you're going to be forced to upgrade a lot more often, and with it, you may inherit all of the new features that go along with it. Be sure to pay attention to verbiage related to bugs and what the remediation process and responsibility is of the vendor. Tricky wording here is a sign that the vendor may have had past issues with customers who sought litigation to solve a software problem.
Be leery of sudden beta programs that never existed before. Many times this whitewash scheme is billed to be for your benefit is just the opposite.
Keep an eye out for companies who are acquiring other companies in attempts to grab a larger chunk of the market. When these technologies are merged, many times you end up with a Frankenstein-like monster rather than a unified product that does a lot more.
Look out for unusual or useless features that show up after an upgrade or service pack. This can easily put the product on the road to over-engineering. Many times you'll see this in the form of a rapid series of major point releases.
Talk to your peers. Many times this is the best way to get the real story on what's happening with a product. Networking at trade events is invaluable and should be a requirement these days. The amount of valid information gathered at these events is priceless and it's typically during these events where you'll hear important news before it hits the press.
Finally, watch for companies that call major upgrades a service pack. This is done to avoid recertification of their products, which may not pass the vigorous requirements needed to earn certain industry certifications. The other obvious concern, which you cannot blame them for, is the enormous cost of having a product certified. Still, this is a red flag that needs investigation on your part.
We've looked at many factors that may suggest that a company is going to provide you with low quality and/or over-engineered products. Seeing one or two of the symptoms above certainly does not prove that a company will dump a bogus product on you. The idea here is to evaluate a vendor's performance beyond its product portfolio so that you can spot trouble before it shows up at your door.
This article was first published on EnterpriseITPlanet.com.