"
Every time I go to one of the dozens of Security conference I like to go to vendors booth and ask them the following questions:
1.
Which attack vector your
product detects and or mitigate?
2.
What is the amount (ratio/
percentage) of you false positive and false negative?
3.
How much performance impact
your product adds to the existing web application/ environment / system /
network in terms of latency?
4.
How much time and human
work it takes to deploy your product?
5.
How much human work needed
to maintain your product?
6.
How many customer using
your product ?
7.
What is your road map ?
why asking ?
few years ago I spoke to a guy who introduce himself as a security expert. and he told me about a concept called Security Exposure Analysis. when I asked him what it means he told me the above questions. then he told me, if you are talking to a vendor ask him those questions, then you will know if you need to buy their product or not. ever since i'm asking it and it does help.
which question you ask before you buy a security product ? "