Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/5/2019
10:30 AM
Brian Monkman
Brian Monkman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Taming the Wild, West World of Security Product Testing

The industry has long needed an open, industry-standard testing framework. NetSecOPEN is working to make that happen.

Deciding what products can improve an organization's network security is a complex process. You must weigh a number of factors as part of the purchase decision, one of the most crucial of which is the impact of the product on network performance. However, given the current state of security product testing, it is virtually impossible to perform an accurate "apples-to-apples" product comparison. Proprietary testing methods conducted under uniquely optimized conditions create a chaotic scenario in which everyone plays by their own rules and customers are left struggling to sort it all out. NetSecOPEN is working to solve this problem by developing an open, industry-standard testing framework.

Wild, Wild West
Other industries have established standards, with which all companies must comply, and for good reason. When different companies use the same terms and claim to use the same metrics but define the terms and calculate the metrics entirely differently, it creates chaos for customers.

For example, years ago there was no standard for determining miles per gallon for vehicles. Automobile manufacturers had their own proprietary definitions and methods for calculating miles per gallon. Two vehicles that both got 25 mpg according to the manufacturer might have wildly different mileage results in the real world. The National Highway Traffic Safety Administration and the Environment Protection Agency stepped in and established standardized definitions and requirements for fuel economy, enabling consumers to use miles-per-gallon ratings to evaluate automobile performance with confidence.

There are many other industries that could benefit from standardized methodologies. Laptop manufacturers cite battery life as a key feature of their devices, but the battery life results customers experience rarely — if ever — live up to the claims. Vendors test battery life in very specific conditions with highly customized configurations. The result is that there is no accurate way to compare battery life claims from one vendor to the next.

Cybersecurity is critical for organizations, and it generally represents a very significant investment. It is not feasible for a company to implement and test a wide variety of solutions to determine which works best. Even when an organization is able to narrow down the options and conduct pilot tests in the organization's own environment, vendors can, and often do, place strict limits and constraints on how the pilot test is configured and managed

I previously worked in the technology testing field and have firsthand experience with some of the challenges of traditional testing methodologies. Vendors frequently impose specific test requirements that highlight the performance aspects on which they want to focus — which more or less invalidates the purpose of testing in the first place. Ultimately, such an approach threatens the integrity of testing in general.

Standardizing Network Security Product Testing
There are currently no up-to-date, relevant open test standards for network security performance testing. In the last decade, networks have evolved from 80% unencrypted HTTP — in many enterprises, over 80% of the perimeter traffic is now encrypted with HTTPS and modern secure cipher suites. In other words, network traffic has evolved, changing significantly over the last 10 years, but testing standards and methodologies have not been updated or adapted to account for these changes.

One result of these rapid changes and the absence of universal test standards is that to determine the performance of their network security solutions, testing groups have developed proprietary methods. We have reached a critical point, however, where we need to close the gap between proprietary test performance metrics and observed real-world performance. Otherwise, the tests themselves may become meaningless.

What is needed is greater transparency and standardization of testing methodology, with real-world factors integrated into the testing scenarios. Leading cybersecurity tool vendors and testing labs recognize these requirements, which is why momentum is building for developing and implementing standardized testing methodologies.

Role of NetSecOPEN
NetSecOPEN, a nonprofit, membership-driven organization, was formed in 2017 with the goal of developing open standards for testing network security products. Founding members include leading security vendors, test equipment vendors, and testing laboratories, including Check Point, Cisco, Fortinet, Palo Alto Networks, SonicWall, Sophos, and WatchGuard; test solution and services vendors Spirent and Ixia/Keysight; and testing labs European Advanced Networking Test Center (EANTC), and the University of New Hampshire InterOperability Lab (UNH-IOL).

The organization exists to overcome the current situation — competing and confusing testing methodologies — and establish a new way of designing tests that are open, transparent, and created collaboratively. NetSecOPEN's testing methodology was developed in consultation with the current membership and will continue to evolve as new members join and as a new generation of security products come to market.

The effort to standardize is backed by significant collaboration and momentum. The intent is not to compete with or replace today's testing labs. In fact, the industry's premier testing labs support the effort and are collaborating to improve and standardize network security performance testing. Testing organizations and vendors alike recognize that apples-to-apples performance tests that realistically portray the impact of a network security product on network performance are essential, and they are cooperating to make that happen.

Related Content:

Brian Monkman is executive director of NetSecOPEN, a nonprofit, membership-driven organization with a goal of developing open standards for testing network security products. A 25-year network security veteran, he has extensive experience in technical support, sales ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ThomasMaloney
50%
50%
ThomasMaloney,
User Rank: Apprentice
2/14/2019 | 12:23:12 AM
First things first
You know what I feel about consumers using their digital devices? I think that many of them really don't care about security because they only worry about the tangible and immediate things like performance and speed. Things like security is secondary to them because they don't see the immediate threat.
EdwardThirlwall
50%
50%
EdwardThirlwall,
User Rank: Moderator
2/11/2019 | 2:09:23 AM
Guidelines needed
It would indeed cause chaos to erupt amongst the end users. People would eventually get confused as to what are the true terms and conditions that they can fall back on when doubts arise. There is no benchmark being set which can be the guideline that they all can refer to to lead them to a solution.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31769
PUBLISHED: 2021-06-21
MyQ Server in MyQ X Smart before 8.2 allows remote code execution by unprivileged users because administrative session data can be read in the %PROGRAMFILES%\MyQ\PHP\Sessions directory. The "Select server file" feature is only intended for administrators but actually does not require autho...
CVE-2020-20469
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log_edit.php files failing to filter the csa_to_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.
CVE-2020-20470
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.
CVE-2020-20471
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
CVE-2020-20472
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site.