Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Connect Directly

Former NSS Labs CEO Launches New Security Testing Organization

Member-based CyberRatings.org to offer free and tiered paid access to tested security product and services ratings.

NSS Labs may be defunct, but its previously unreleased testing data will now see the light of day under a new testing organization created by its former CEO, Vikram Phatak.

Phatak, who left an 11-year stint at the helm of NSS Labs in 2018 after suffering a heart attack, today launched CyberRatings.org, an Austin, Texas.-based member-based organization that will generate ratings, reports, and analysis on security products and services. The new organization's first release will be product ratings based on new and unpublished NSS Labs test data for software-defined wide area network (SD-WAN) vendor offerings, and will be followed by ratings of next-generation firewall and breach prevention system products.

NSS Labs abruptly closed its doors on Oct. 15 due to what it cited as "COVID-related impacts." Privately, former employees and sources close to the company said the shutdown was due to the closure of its private equity investor, Consecutive Inc., which ultimately dried up its funding for NSS Labs. Consecutive had acquired NSS Labs for an undisclosed sum in the fall of 2019 in a move that was not publicly announced by the companies but which they later confirmed.

Related Content:

NSS Labs' Abrupt Shutdown Leaves Many Unanswered Questions

The Changing Face of Threat Intelligence

New on The Edge: 5 Signs Someone Might be Taking Advantage of Your Security Goodness

At the time, the privately held testing firm had shown signs of financial woes with layoffs, and several sources said the merger was a way to keep NSS Labs afloat. Jason Brvenik, who had served as CEO until its shutdown, told Dark Reading in a February interview that the deal allowed for a reorganization of the company.  

Phatak, NSS Labs' CEO from 2007 to 2018, recently acquired all of NSS Labs' testing data - including the unpublished findings - in a licensing transaction with the custodians of its assets via a liquidation process. His newly formed organization, CyberRatings.org, aims to provide a more open and inclusive source of security product assessments that also encompasses the consumer sector, he says.

CyberRatings.org will contract testing to reputable third-party testing labs, says Phatak, chairman and CEO of CyberRatings.org. "We'll focus on the ratings part [and] on information and community," he says. "Our goal is to help [people] understand how well these products work or not."

Test results alone are basically a snapshot in time, Phatak explains. "The goal of ratings is to make a forward-looking statement of what we think of the reliability of a company or product or service," he says, starting with security products but also expanding to rating managed security service providers and professional security services firms.

CyberRatings.org also will incorporate strategic information about a security firm in its ratings, such as its financial health and senior-executive hirings and departures. "All of these things go into calculating ratings," Phatak says.

Not an Island
Phatak envisions a community effort for CyberRatings.org rather than the "island" model of NSS Labs, which he admits often created an atmosphere of NSS Labs versus the security vendors. "Vendors can be part of the system being measured, but it's not 'you failed this'" with this new model, for example, he says.

NSS Labs' security-product testing infrastructure, meanwhile, is up for sale via a Silicon Valley liquidation firm. Phatak says he has no plans to purchase any of NSS Labs' testing systems, but his firm will be creating its own testing methodology for third-party testers to use as a template in their work for CyberRatings.org.

And unlike the investor-backed NSS Labs, CyberRatings.org won't be under pressure to constantly grow and increase revenue.

"This is not going to be a moneymaker," Phatak notes. "NSS Labs had a limited budget, so it had to remain narrow [in its scope]. The community is far bigger than any one organization can do, so we wanted to create that ecosystem."  

Several former NSS Labs employees have joined Phatak at the new organization, including Cathy Main, former vice president of marketing and corporate relations, who is now president of CyberRatings.org, as well as some testing analysts who had worked for the now-shuttered company.

CyberRatings.org's free community membership includes security product and services testing and rating summaries. The firm also offers higher-level memberships with more access to testing data and analysis. For example, personal membership costs $100 per year and includes detailed product rating reports.

Soon the organization plans to offer professional membership for $500 per year, small business membership for $1,000 per year, and membership for corporate and service providers for $10,000 per year.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the v...
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during m...
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFI...
PUBLISHED: 2021-03-05
An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vulnerability in os_xml.c occurs when a large number of opening and closing XML tags is used. Because recursion is used in _ReadElem without restriction, an attacker can trigger a segmentation fault once unmapped memory is reached.
PUBLISHED: 2021-03-05
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.