Take-Away Security Tools Probably Aren’t
You have probably read one of the many reviews of security tools published in the depths of the Internet. A lot of magazines feature articles with the headline „Top n Tools for $TASK“. While reviews are a nice way of being introduced to new things, especially tools and software, you have to be careful when it comes to reviewing the security aspects of code or your new favourite tool.
First of all you cannot analyse the security design and possible flaws by reading the FAQ section of the project web site or the user manual. You have to evaluate the code and the components it uses. Don’t be fooled or distracted by encryption for it doesn’t necessarily secure anything. Getting a security design right is very hard, and sprinkling cryptography over serious design flaws doesn’t magically set things right. Exploring the in-depths mechanisms requires testing and trying to attack the code.
Secondly most reviews found on the Internet are based on search engine results and simple test installations. We don’t doubt that some authors do more testing, but we doubt that any article short of a proper publication with test results and a description of the test methodology can be a base for trusting you life, your data or your infrastructure to the will of unknown code (see how we narrowly avoided to use the term IT journalist there). This is especially important when it comes to securing communication in troubled areas of real or cyber space. Loose lips don’t sink ships any more (and probably never did), but information can bring down an awful lot of trouble down on you, which brings us back to journalism of a different kind, by the way. Works For Me™ is the wrong approach once you deal with severe risks and consequences.
This warning is not intended to discourage developers from developing useful tools. We just want to warn you to take security tool reviews to seriously. Most of the time you will need a healthy dose of security research and testing, too.