Jun 21, 2024 3 min read

The Poor State of Security Tools

Blog post about my recent frustrations regarding security related tooling.

The Poor State of Security Tools
Photo by Matt Artz / Unsplash

This is a topic that has been on my mind a lot recently. That is the poor quality of many of the security tooling that is out there at the moment. I say this as I’m currently sitting in an airport at the moment, and I’m unable to use my work laptop because the security tooling on it won’t allow me to connect to the local WiFi. This is because it requires the captive portal for the WiFi to show in order for me to connect to the WiFi to be able to obtain a connection. Except it won’t connect, since it doesn’t detect the captive portal (iOS seems to be doing this just fine though). And it does have this feature to detect captive portals! It just doesn’t work.

This is one such example where I’ve had to deal with a frustrating issue regarding a security related tool. Another, rather important tool, that I heavily rely on is stuck in the dark ages. They’ve effectively tried to leverage every bit of money out of this tool of the years with little to no modernisation of the tool. The end result is that other tools are not far superior to this tool. The vendor has finally managed to cotton onto this, and has finally started to make some progress of trying to bring the tool into the modern era. The problem? They’ve actually made the tool worse in many cases! To compound the issue, the customer support and service that I’ve received from the vendor has been absolutely atrocious! And this is a well known and established tool, although many people now seem unhappy with it (and rightly so).

It’s a really sad state of affairs, when open source tooling is far superior than some of the tooling that you end up having to shell out thousands for. One aspect of this, I think is the “blinky boxes” type thought. With enough marketing spin, they make out their tool to be something it is not. One vendor, who I won’t name, has had a lot of PR over the past few years, and is well known in the field. Yet this very tool was unable to detect a text book case of a SQL Injection… across multiple languages! To me this seems entirely bonkers.

Another area that I’ve seen many make mistakes on, is also not appropriately assessing tools. They just pick something, without taking it through its paces, and then are happy to sit with it, warts and all. Vendors then know this and that they can get away with having products that perform poorly, and poor customer service.

So what are things that we can do? Firstly, put the tools through their paces BEFORE you buy them. Make sure that the tool does what the vendor claims it will do, and that it will work in your environment. Also make sure that the tool will work in YOUR environment for YOUR problems and use cases. Next is to hold the vendor to account. You ARE the customer. You should feel comfortable in raising issues or challenging the vendor where the tool is not performing as claimed. Don’t accept weak or poor answers.

Finally the sales tactics. These drive me utter bonkers to be honest. The amount of cold calling and, frankly spam, that I receive is astounding. My view is if I want something, I will reach out to the appropriate vendors for a problem or gap that I have. I don’t need some vendor, or often doesn’t particularly have a vested interest in me personally, to start making up problems for me (which often don’t exist). My personal view on this is to ignore such cold callers, particularly they seem to invent problems that you “may have”.

In closing, we as an industry have a long way to go in terms of our tooling, and a lot of work to make sure that we can route out the bad apples (and there are unfortunately quite a few), so that those who do have good tools and good solutions thrive and ultimately make everyone’s lives that much better!

Sean Wright
Sean Wright
Experienced application security engineer with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS and supply chain related subjects.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.