Vulnerabilities / Threats

2/5/2019
10:30 AM
Brian Monkman
Brian Monkman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Taming the Wild, West World of Security Product Testing

The industry has long needed an open, industry-standard testing framework. NetSecOPEN is working to make that happen.

Deciding what products can improve an organization's network security is a complex process. You must weigh a number of factors as part of the purchase decision, one of the most crucial of which is the impact of the product on network performance. However, given the current state of security product testing, it is virtually impossible to perform an accurate "apples-to-apples" product comparison. Proprietary testing methods conducted under uniquely optimized conditions create a chaotic scenario in which everyone plays by their own rules and customers are left struggling to sort it all out. NetSecOPEN is working to solve this problem by developing an open, industry-standard testing framework.

Wild, Wild West
Other industries have established standards, with which all companies must comply, and for good reason. When different companies use the same terms and claim to use the same metrics but define the terms and calculate the metrics entirely differently, it creates chaos for customers.

For example, years ago there was no standard for determining miles per gallon for vehicles. Automobile manufacturers had their own proprietary definitions and methods for calculating miles per gallon. Two vehicles that both got 25 mpg according to the manufacturer might have wildly different mileage results in the real world. The National Highway Traffic Safety Administration and the Environment Protection Agency stepped in and established standardized definitions and requirements for fuel economy, enabling consumers to use miles-per-gallon ratings to evaluate automobile performance with confidence.

There are many other industries that could benefit from standardized methodologies. Laptop manufacturers cite battery life as a key feature of their devices, but the battery life results customers experience rarely — if ever — live up to the claims. Vendors test battery life in very specific conditions with highly customized configurations. The result is that there is no accurate way to compare battery life claims from one vendor to the next.

Cybersecurity is critical for organizations, and it generally represents a very significant investment. It is not feasible for a company to implement and test a wide variety of solutions to determine which works best. Even when an organization is able to narrow down the options and conduct pilot tests in the organization's own environment, vendors can, and often do, place strict limits and constraints on how the pilot test is configured and managed

I previously worked in the technology testing field and have firsthand experience with some of the challenges of traditional testing methodologies. Vendors frequently impose specific test requirements that highlight the performance aspects on which they want to focus — which more or less invalidates the purpose of testing in the first place. Ultimately, such an approach threatens the integrity of testing in general.

Standardizing Network Security Product Testing
There are currently no up-to-date, relevant open test standards for network security performance testing. In the last decade, networks have evolved from 80% unencrypted HTTP — in many enterprises, over 80% of the perimeter traffic is now encrypted with HTTPS and modern secure cipher suites. In other words, network traffic has evolved, changing significantly over the last 10 years, but testing standards and methodologies have not been updated or adapted to account for these changes.

One result of these rapid changes and the absence of universal test standards is that to determine the performance of their network security solutions, testing groups have developed proprietary methods. We have reached a critical point, however, where we need to close the gap between proprietary test performance metrics and observed real-world performance. Otherwise, the tests themselves may become meaningless.

What is needed is greater transparency and standardization of testing methodology, with real-world factors integrated into the testing scenarios. Leading cybersecurity tool vendors and testing labs recognize these requirements, which is why momentum is building for developing and implementing standardized testing methodologies.

Role of NetSecOPEN
NetSecOPEN, a nonprofit, membership-driven organization, was formed in 2017 with the goal of developing open standards for testing network security products. Founding members include leading security vendors, test equipment vendors, and testing laboratories, including Check Point, Cisco, Fortinet, Palo Alto Networks, SonicWall, Sophos, and WatchGuard; test solution and services vendors Spirent and Ixia/Keysight; and testing labs European Advanced Networking Test Center (EANTC), and the University of New Hampshire InterOperability Lab (UNH-IOL).

The organization exists to overcome the current situation — competing and confusing testing methodologies — and establish a new way of designing tests that are open, transparent, and created collaboratively. NetSecOPEN's testing methodology was developed in consultation with the current membership and will continue to evolve as new members join and as a new generation of security products come to market.

The effort to standardize is backed by significant collaboration and momentum. The intent is not to compete with or replace today's testing labs. In fact, the industry's premier testing labs support the effort and are collaborating to improve and standardize network security performance testing. Testing organizations and vendors alike recognize that apples-to-apples performance tests that realistically portray the impact of a network security product on network performance are essential, and they are cooperating to make that happen.

Related Content:

Brian Monkman is executive director of NetSecOPEN, a nonprofit, membership-driven organization with a goal of developing open standards for testing network security products. A 25-year network security veteran, he has extensive experience in technical support, sales ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ThomasMaloney
50%
50%
ThomasMaloney,
User Rank: Apprentice
2/14/2019 | 12:23:12 AM
First things first
You know what I feel about consumers using their digital devices? I think that many of them really don't care about security because they only worry about the tangible and immediate things like performance and speed. Things like security is secondary to them because they don't see the immediate threat.
EdwardThirlwall
50%
50%
EdwardThirlwall,
User Rank: Apprentice
2/11/2019 | 2:09:23 AM
Guidelines needed
It would indeed cause chaos to erupt amongst the end users. People would eventually get confused as to what are the true terms and conditions that they can fall back on when doubts arise. There is no benchmark being set which can be the guideline that they all can refer to to lead them to a solution.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.