Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/21/2020
02:00 PM
Henry Harrison
Henry Harrison
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How an Industry Consortium Can Reinvent Security Solution Testing

By committing to independent testing to determine value, vendors will ensure that their products do what they say they do.

The challenge with proof-of-concepts (PoCs) for cybersecurity solutions is that they primarily tell chief information security officers (CISOs) and their teams that a product will be quick to integrate and has a strong user interface. These things are easy to measure. But whether the solutions actually work in terms of defeating attacks and mitigating risk? That is a much more difficult capability to assess. Unfortunately, when the PoC fails to prevent exposure, CISOs are too often caught in the middle after a crippling attack.

Why do PoCs fall short? It's because the cost of pursuing in-depth testing remains prohibitive for many organizations. Cybersecurity vendors take full advantage because they have no incentive to do much more than simply measure user interface and ease of integration. That's why it's past time to tear down and rebuild how we conduct solution evaluations.

Note the use of the word "we" here. We are doomed to continue spinning our wheels unless we unite as an industry.

While vendors have introduced some notable initiatives, such as NetSecOpen, the industry can't totally rely on vendors to provide a plan or framework for a more standardized approach for assessing and then testing new solutions. Enterprises must take the lead if we want to see real change. Now more than ever during our COVID-19 existence, we need an industry consortium to empower enterprises to better assess products, especially for organizations that do not have the margins to oversee effective PoCs on their own.

In some cases, a logical first step is to rely on the assessments already carried out by governments. On the other hand, while it's important to consider that there are significant differences between governments and commercial entities, it is not always clear that their security requirements are the same. In addition, each government has their own approach and opinion – a real challenge for global enterprises.

A Fragmented Market
The cybersecurity solutions and services market has grown increasingly fragmented, and the beleaguered CISO is under immense pressure to demonstrate ROI. Thus, a consortium – one that brings together multiple buyers of a tool to collaborate on its true value before purchase and implementation – proves critical. The consortium would readily resolve the cost issues, as companies would collectively pool their PoC budgeting to fund for more thorough white box and black box testing.

It is true that these businesses compete against each other in the marketplace. But they are also peers. It's vastly better to collaborate with peers/competitors to know what is unknown before spending countless dollars on a tool that could very well fail them in short time. Besides, it's not as if one consortium member would gain competitive edge over another in combining resources for testing; everyone is on an even playing field.

For this to work, the participating organizations must designate independent testers as an indispensable component. The testers would serve as unquestioned truth-seekers with no skin in the game. They are strictly the "home inspectors" here, not the buyers or sellers of the house.

As for methodology, independent testers must ensure the products protect against both existing threats and future, as-of-yet-unknown ones. They should require vendors to reveal complete details about their designs, implementation, and engineering practices - without allowing them to hide behind "commercial confidentiality" as means to avoid disclosure.

Intensive Assessments and Reviews
With this, testers will be able to conduct intensive assessments of detailed design and implementation documentation, along with source code reviews. They then can proceed with comprehensive white box testing against known attacks, as well as potential future ones on the assumption that attackers will eventually be armed with full knowledge of design and implementation. Of course, such a level of extensive testing will amount to an expensive proposition. But, again, consortium members would share the cost burden by pooling together their available funding.

What's more, should this optimal level of evaluation emerge as the norm, it will force vendors to make changes on their own. In the interest of pure survival, they will budget for even more rigorous internal vetting of what they intend to bring to the market.

Enterprises and their CISOs are dealing with a broad spectrum of cyber-risk mitigation activities and operational issues that make it difficult for them to pay attention to the available product assessment and testing options. Enterprises with like-minded goals can trust each other to determine the right testing they collectively require. Power in numbers and bigger dollar pools will enable the consortium plan to drive real change.

We cannot delay. The current state of PoC processes, product assessment, and testing won't tell us enough of what we need to know. But by committing to a consortium with independent testing to determine true value, vendors will have to ensure the products do what they say they do – or risk extinction.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Biometrics in the Great Beyond."

Henry Harrison is co-founder and CTO at Garrison, and a seasoned IT industry executive, serial entrepreneur and the brain behind Garrison's core technologies. Henry has a background in leading the development of innovation in cyber security and Garrison was founded to create ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndrewRGravett
50%
50%
AndrewRGravett,
User Rank: Apprentice
5/22/2020 | 4:20:43 AM
pros and cons
I can definitely see the benefits of this approach to both parties i.e. transparency of results, reduction of effort but also some issues the first issue I would consider is overall independent governance of a consortium so that there is a level playing field, rigorous test methodology etc, second  that even within the same industry or market segment consortium "no two environments are the same" for example networking hardware age, firmware, configuration, traffic flows etc so a result in a standardized PoC test lab would still need replicating and testing in "my environment" so effectively doubling the effort..
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...