I really wanted to call this post How NOT to Sell Your Scanning Tool to Other Security Companies, but it seemed a little long.

Great….. That’s really just what you want to see…Looks like it went out to all PCI ASV companies. Fantastic, now I get spam based upon the PCI vendor list… I guess there is irony in the security business after all…

So, today, I was lucky enough to get spam from another security vendor with an offer to tell me all about how their company and tool can really help us be a better PCI ASV. I thought I would include it here, with some relevant commentary…

My name is Bob XXX and I am responsible for XXX PCI Compliance Partner Program.

Hi Bob. Just in case you are new to the security world, spam is not really cool and uninvited emails, especially those without an opt-out mechanism (like this one…) are really not much different than the guys selling V1agr4 and other junk via email. It basically uses other peoples’ time and resources without their consent…

A number of PCI ASVs use XXX products and services as a basis for their PCI Scanning offerings for the following reasons:

Wow! This is a great point. So, I can use your tool, just like other ASV providers and have even LESS to set me apart from my competition on the race to FREE scanning for PCI compliance. Ummm, thanks…

XXX PCI Scanning Solution

Wait for it… Here it comes…. The long list of “benefits” to me as a security provider…. Right….

… Is a leveraged investment providing unlimited scans and not a pay for every scan expense.

Well, at least I only have to pay for it like regular software and not that pay as you go model. Ummm… How is this a benefit for ASV companies? How is this different from Nessus and the plethora of other scanners that don’t follow the “Comodo model” (wait… aren’t they FREE for PCI scans now???)?

… Can accurately identify over 17,000 conditions which can decrease analyst review time; reducing time and cost.

I always love these numbers… Our toolset checks for more than 20,000 security issues… I hate adding these in, but a lot of clients always ask for them….Also, a definition of “accurately” would be appreciated. If you are suggesting that your tool has 17,000 checks that don’t create any false positives then I would say you are delusional. Be truthful, you say it reduces analyst time, but if an analyst still has to check them then we are again back to the definition of “accurate”…

… Is based on XXX XXX, a commercially available product, with ongoing investment in research and development to insure it is the most robust and accurate solution available.

So, “commercially available” translates to “better”? I would love to see you argue this with several security folks I can think of. How does commercial availability translate to quality? Are you implying that open source or propietary solutions are lesser because of their availability and lack of commercial cost? Is Linux less “robust and accurate” than Windows because it is open source or does the fact that Redhat sells a version of it make it more “robust and accurate” since it is commercial???

… Is supported by XXX’s award winning customer support organization.

Good. I am glad to hear you have won awards for support. How much support does the product need? Oh, wait, I think I see your implication – it’s that open source thing again isn’t it? Exactly what products are you attempting to compete against? I mean Nessus, which I would assume to be your primary target, has support too if you purchase the product. My guess is that this is a stab at the customer emotions and fears of newsgroup and mailing list support. Is that still an issue? I mean, especially since ASV companies are supposed to be the experts with their scanning tools, how does this translate to something I should be concerned about? Don’t my technicians know their tools well enough to not need the usual technical support?

… Can provide a strategic foundation for other revenue generating services such as
Ø Web Application Scanning
Ø Vulnerability Risk Management Scanning
Ø Configuration Compliance solutions

Now this is interesting… At first, I took it to mean that the tool did all of this… But it just says that it provides a “strategic foundation” for generating revenue from other services… What exactly is “Vulnerability Risk Management Scanning”? How is that different from traditional vulnerability scanning? Does it measure, quantify or create metrics somehow that communicate real-world risk, or is this just the usual H/M/L stuff like always? As for the revenue, would that be revenue for the ASV or for XXX? Both? On the good news front, I am pretty glad to see that you mentioned scans for web application issues, that is a good thing and at least you got this right…

I would like the opportunity to discuss your current solution and answer any questions about XXX to determine if we are an attractive alternative.

If you are interested in learning more, please respond to me so we can coordinate a day/time for a phone conversation.

Ummm…. Thanks, but no thanks. First, my company is an ASV. To become an ASV we had to do some scanning and testing. Thus, we already have tools. We also already appear to have tools that are superior to yours, at least in our opinion.

But, the number one reason I would not buy from your company is that one of the first rules of e-commerce security is don’t purchase things from unsolicited emails; it only encourages more spam. In addition, it just doesn’t fit my ethical compass to support security vendors who would engage in “spammy practices”. Good luck, Bob, but I think you might want to think about your email marketing approach a little bit more…