Is Wingate 6 secure? Why is it not certified by any Firm?
Moderator: Qbik Staff
4 posts
• Page 1 of 1
Is Wingate 6 secure? Why is it not certified by any Firm?
by trialtester2999 » Nov 23 04 3:36 pm
Hi, we've been wondering since we have finalized our evaluation with Wingate 6.0 we haven't seen any certification of your product from any Firm or Institute which tests for quality like ICSA LABS, is wingate safe enough for Enterprise deployment say a bank or school? Is it hack-proof?
- trialtester2999
- Posts: 30
- Joined: Jun 21 04 9:43 pm
by adrien » Nov 23 04 4:33 pm
Hi
The issue of independent certification is a sticky one, which we have considered before. With all due respect to the certification organisations, we haven't yet really seen a hugely compelling reason to seek certification. Mainly because of several drawbacks to it, namely:
a) it is expensive (you pay a fairly sizeable fee to cover the testing)
b) it is only given for one version of the software, if you develop another or put out an upgrade, you need to get it re-certified, since at any stage it is possible to introduce vulnerabilities. We frequently put out updates.
c) they can only "black-box" test the product with known tests - i.e. they can only test for what they know. They don't get the source code to analyse and look for weaknesses in.
There are of course some obvious advantages as well, but overall, from the customer's perspective these certifications are usually justified by a developer primarily in terms of marketing value.
To date for this we have relied on real world experiences by users. We have many installations in banks and other security-conscious organisations, we protect our own servers with the product, and are subjected to a multitude of attacks on a daily basis. Battle-hardening is a key to security that cannot be overlooked.
So in summary, the jury is constantly out on this topic, it is not written off forever. There may well be a time in the future where we decide the best path is to seek certification.
The issue of independent certification is a sticky one, which we have considered before. With all due respect to the certification organisations, we haven't yet really seen a hugely compelling reason to seek certification. Mainly because of several drawbacks to it, namely:
a) it is expensive (you pay a fairly sizeable fee to cover the testing)
b) it is only given for one version of the software, if you develop another or put out an upgrade, you need to get it re-certified, since at any stage it is possible to introduce vulnerabilities. We frequently put out updates.
c) they can only "black-box" test the product with known tests - i.e. they can only test for what they know. They don't get the source code to analyse and look for weaknesses in.
There are of course some obvious advantages as well, but overall, from the customer's perspective these certifications are usually justified by a developer primarily in terms of marketing value.
To date for this we have relied on real world experiences by users. We have many installations in banks and other security-conscious organisations, we protect our own servers with the product, and are subjected to a multitude of attacks on a daily basis. Battle-hardening is a key to security that cannot be overlooked.
So in summary, the jury is constantly out on this topic, it is not written off forever. There may well be a time in the future where we decide the best path is to seek certification.
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by trialtester2999 » Nov 23 04 5:06 pm
Thank you very much for your detailed reply on our concern. Rest assured that since you are very honest we are leaning towards your product, we are a sizeable bank company and we are currently evaluating at least 10 leading products on this category. See you soon.
- trialtester2999
- Posts: 30
- Joined: Jun 21 04 9:43 pm
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: Bing [Bot] and 14 guests