I have been in Denver all week for Accuvant’s annual sales kick-off. Today the SE’s and consultants were in a bunch of vendor mini-trainings for the SE’s. Can you say death by PowerPoint???
Anyway, one of the vendors presenting is a well-known security vendor that has some products around web app security. Up pops their obligatory reference slide of companies who use their products, and guess who is on the list? Yep, you guessed it: TJX (read about TJX here is you are not aware of the story).
It was weird because the reference slide was all text and must have had about 30-40 companies listed, but my eyes were immediately drawn to TJX. The presenter had paused to take a breath, and I said quickly commented, “I don’t think I would have TJX on my reference list.”
Now understand that almost everybody in the room were SE’s, security consultants, security assessment people (pen tests, social engineering, etc.), and compliance people. These people, including me, take pride in being up on current security issues. The room went silent, and just about everyone looked at the slide. The presenter just kind of froze. Then a couple of chuckles were heard, and everyone was kind of like, “Holy crap.” The presenter, after he unfroze, said that TJX probably had some of their other products and not their web app stuff. Good recovery, dude.
Truthfully, the vendor in question has some great stuff, and they are one of our top partners. But if they would have used this slide at a customer that was knowledgeable and up on events, they probably would have been screwed.