My company performs security assessments for businesses, and man do I hate the perception that having a security company's logo or "certification" is the correct way to "prove security."
While, unlike most of the badges you see on sites, we do not perform recurring or daily scans, we still field requests for this type of seal all the time.
It's our policy to refuse them outright.
Our reasoning for this is twofold: primarily, it provides a false sense of security. As the article rightly points out, having a badge on your site does not make you secure. Sure, maybe it'll find some "low-hanging fruit" that you can fix, but it's not going to address major security concerns.
The second reason is to protect our own reputation. Security scans, at best, provide a snapshot in time--even if it's a recurring snapshot.
Security is a process, not a state; these seals and logos do everything to lull people into forgetting that.
While, unlike most of the badges you see on sites, we do not perform recurring or daily scans, we still field requests for this type of seal all the time.
It's our policy to refuse them outright.
Our reasoning for this is twofold: primarily, it provides a false sense of security. As the article rightly points out, having a badge on your site does not make you secure. Sure, maybe it'll find some "low-hanging fruit" that you can fix, but it's not going to address major security concerns.
The second reason is to protect our own reputation. Security scans, at best, provide a snapshot in time--even if it's a recurring snapshot.
Security is a process, not a state; these seals and logos do everything to lull people into forgetting that.