Comment Re:Confidentiality Integrity Availability. (Score 1) 99
I've been involved in certifying a firewall to meet ICSA requirements. Let me say that it can only be a good thing to take into account what certifications the product has before using it. This includes FOSS and commercial.
While it's nice that you can review the source of FOSS tools, that gives you no guarantee that the tools are configured appropriately and securely. If you are in an organisation that requires a verifiable degree of security (or as management sees it: level of risk) then using certified products is a no-brainer. No one claims a certified product is absolutely secure, and you should never base a purchase decision purely on the 'does it have a shiny certification logo on the carton?', but when using a certified product you can at least say that X, Y & Z situations are covered. This is especially important in the situation of a breach, where the integrity of logging is important. You don't want your boss screaming at you because the timestamps were wrong or inconsistent, that some data was not logged, etc...
If you are interested, take a look at the criteria for certification for firewalls - http://www.icsalabs.com/technology-program/firewalls/modular-firewall-certification-criteria-version-41
There are a lot of FOSS based products, including the one I worked on, that are ICSA certified. You can have your cake and eat it.