[redbeard0x0a]

> enterprises around the world have done exhaustive security reviews

I'm pretty sure they are referring to security reviews for things like SOC2 and PCI. Which aren't exhaustive and generally consist of throwing a scanner on the network and running some sort of WASP top 10 vulnerability tester against the product. I have uncovered major flaws in products I have written that these "extensive reviews" have missed, like user enumeration by changing something in a POST request.

[basch]

It's very likely that a bunch of companies RFP process is a feature checklist and to get the "encrypted" box checked they needed that lie, or their product was out of the running.

RFP by "who can tailor their marketing to check all the boxes" is a terrible process and leads to this marketing bloat. RFP would be much more useful if it stuck to "list only things you do your competitors doesnt; what processes come with your product that are much more efficient or innovative compared to your competition; like an sec disclosure what are three true non fluff risks to selecting your product; describe your revenue, user growth, and future ownership expectations." If a company cant answer those seriously, push them until they can, or tell them youll move on.

[Kalium]

SOC2 and PCI are a lot more than running an automated scan. Sure, that's part of it, but both are full-on frameworks that stretch well beyond technical controls and deeply into organizational questions.

The important thing is that they establish enough trust to create basis for shifting liability.