Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Henry Harrison
Henry Harrison
Connect Directly
E-Mail vvv

How an Industry Consortium Can Reinvent Security Solution Testing

By committing to independent testing to determine value, vendors will ensure that their products do what they say they do.

The challenge with proof-of-concepts (PoCs) for cybersecurity solutions is that they primarily tell chief information security officers (CISOs) and their teams that a product will be quick to integrate and has a strong user interface. These things are easy to measure. But whether the solutions actually work in terms of defeating attacks and mitigating risk? That is a much more difficult capability to assess. Unfortunately, when the PoC fails to prevent exposure, CISOs are too often caught in the middle after a crippling attack.

Why do PoCs fall short? It's because the cost of pursuing in-depth testing remains prohibitive for many organizations. Cybersecurity vendors take full advantage because they have no incentive to do much more than simply measure user interface and ease of integration. That's why it's past time to tear down and rebuild how we conduct solution evaluations.

Note the use of the word "we" here. We are doomed to continue spinning our wheels unless we unite as an industry.

While vendors have introduced some notable initiatives, such as NetSecOpen, the industry can't totally rely on vendors to provide a plan or framework for a more standardized approach for assessing and then testing new solutions. Enterprises must take the lead if we want to see real change. Now more than ever during our COVID-19 existence, we need an industry consortium to empower enterprises to better assess products, especially for organizations that do not have the margins to oversee effective PoCs on their own.

In some cases, a logical first step is to rely on the assessments already carried out by governments. On the other hand, while it's important to consider that there are significant differences between governments and commercial entities, it is not always clear that their security requirements are the same. In addition, each government has their own approach and opinion – a real challenge for global enterprises.

A Fragmented Market
The cybersecurity solutions and services market has grown increasingly fragmented, and the beleaguered CISO is under immense pressure to demonstrate ROI. Thus, a consortium – one that brings together multiple buyers of a tool to collaborate on its true value before purchase and implementation – proves critical. The consortium would readily resolve the cost issues, as companies would collectively pool their PoC budgeting to fund for more thorough white box and black box testing.

It is true that these businesses compete against each other in the marketplace. But they are also peers. It's vastly better to collaborate with peers/competitors to know what is unknown before spending countless dollars on a tool that could very well fail them in short time. Besides, it's not as if one consortium member would gain competitive edge over another in combining resources for testing; everyone is on an even playing field.

For this to work, the participating organizations must designate independent testers as an indispensable component. The testers would serve as unquestioned truth-seekers with no skin in the game. They are strictly the "home inspectors" here, not the buyers or sellers of the house.

As for methodology, independent testers must ensure the products protect against both existing threats and future, as-of-yet-unknown ones. They should require vendors to reveal complete details about their designs, implementation, and engineering practices - without allowing them to hide behind "commercial confidentiality" as means to avoid disclosure.

Intensive Assessments and Reviews
With this, testers will be able to conduct intensive assessments of detailed design and implementation documentation, along with source code reviews. They then can proceed with comprehensive white box testing against known attacks, as well as potential future ones on the assumption that attackers will eventually be armed with full knowledge of design and implementation. Of course, such a level of extensive testing will amount to an expensive proposition. But, again, consortium members would share the cost burden by pooling together their available funding.

What's more, should this optimal level of evaluation emerge as the norm, it will force vendors to make changes on their own. In the interest of pure survival, they will budget for even more rigorous internal vetting of what they intend to bring to the market.

Enterprises and their CISOs are dealing with a broad spectrum of cyber-risk mitigation activities and operational issues that make it difficult for them to pay attention to the available product assessment and testing options. Enterprises with like-minded goals can trust each other to determine the right testing they collectively require. Power in numbers and bigger dollar pools will enable the consortium plan to drive real change.

We cannot delay. The current state of PoC processes, product assessment, and testing won't tell us enough of what we need to know. But by committing to a consortium with independent testing to determine true value, vendors will have to ensure the products do what they say they do – or risk extinction.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Biometrics in the Great Beyond."

Henry Harrison is co-founder and CTO at Garrison, and a seasoned IT industry executive, serial entrepreneur and the brain behind Garrison's core technologies. Henry has a background in leading the development of innovation in cyber security and Garrison was founded to create ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/22/2020 | 4:20:43 AM
pros and cons
I can definitely see the benefits of this approach to both parties i.e. transparency of results, reduction of effort but also some issues the first issue I would consider is overall independent governance of a consortium so that there is a level playing field, rigorous test methodology etc, second  that even within the same industry or market segment consortium "no two environments are the same" for example networking hardware age, firmware, configuration, traffic flows etc so a result in a standardized PoC test lab would still need replicating and testing in "my environment" so effectively doubling the effort..
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.