Today I took a few members of the Toronto team west to Kitchener, to attend the Security of Quality conference, put on by the ASQ.

It was an opportunity to sit in a room full of people who have solved real quality problems, unlike our industry. The IT industry in general, and IT security specifically are still such new industries that quality isn't exactly expected - customers accept crashes from Microsoft on a daily basis like they're normal. These are the same customers who will freak out and take their car to a mechanic the moment that they hear a funny noise.

What's more interesting is that the entire industry pretends that nothing's really happening - everybody talks like the quality problem in IT security is already solved. Especially in the vulnerability management industry: everyone claims "the best coverage!!!" and "NO FALSE POSTIVES!!!".

Let me be the first to say it: the emperor has no clothes on.

Quality is taboo in this industry because everybody knows that we haven't solved all the problems yet. Our competitors solve the problem by BUILDING IN quality problems:

Got a false-positive? Call it a "Potential" vulnerability and let the customer figure it out.

It's pathetic, really. Gauth calls it "lying". I call it "an extreme lack of integrity".

Flat out: there's no solution with perfect coverage and no false positives. But we fix every false positive that we're told about. And we're working to make the product perfect.

That's integrity - we work to be better than we are, rather than just hiding our errors and offloading it to the customer.