The Ashimmy Blog

My buddy Ross Brown (you know I really do consider Ross a buddy, having had a chance to get to know him in person at RSA, but that is another story) has an article up taking a shot at nCircle's 24 hour SLA.  To tell you the truth, I was not aware of nCircle's SLA, but a long dormant brain cell in my head fired up something about me having written on this before.  A Technorati search of my blog turns up that exactly one year ago, Feb 16, 2006, I wrote about last years RSA and some of the SLA's and guarantees that were being offered.  Besides showing that very little in security is ever really new, I thought even back then, that SLAs in security seem to be long on marketing and short on real protection.

For the record, I agree with Ross, I think a 24 hour SLA is nothing to write home about.  We, like eEye and I am going to guess nCircle and most other companies do a good job of getting tests out for the new vulnerabilities (Ross I don't think nCircle is putting out patches, but rather tests to see if the patch is applied or if the vulnerability is present) pretty quickly.  Usually in just a few hours.  However, when you are going to put your money where your mouth is, I think you tend to be conservative. The 24 hour SLA  is not meant to be the normal expectation, but the worse case scenario.  Frankly, if you want to force nCircle to do better, come out with a better SLA, that they will have to match to compete. Let me know when you do and we will look at matching it here.  However, my question is this:  Is anybody buying product based on this SLA?  If the answer is no, who gives a hoot.