思博伦环形标志
网络安全

Momentum Builds for Open, Transparent Security Testing

作者:

Momentum Builds for Open Transparent Security Testing

While it’s clear that independent testing doesn’t always mean clear and fair results, there’s growing support around the NetSecOPEN security testing model.

There is a lot at stake in the performance and security of network devices, and that is why testing has been always been carried out by independent, third-party organizations.

But as we’ve all seen, independent testing does not necessarily ensure clear and fair results.

I have discussed the problems with relying on private companies and their somewhat secretive testing assessments in previous blogs. The test constructs are often not published, the methodologies are not transparent and there is limited documentation available to verify that the results are fair, accurate and repeatable.

A recent example of how proprietary testing can go wrong is the NSS/CrowdStrike lawsuit that occurred during a test of CrowdStrike’s Falcon breach protection solution. In this case, as Dark Reading stated: “The fact that NSS Labs retracted its rating of CrowdStrike's Falcon platform highlights one of the primary issues with closed or proprietary network security testing standards. Without visibility into the testing protocols and standards used, there is no way for organizations to objectively determine whether an NSS Labs assessment is right or wrong.”

Growing support for a transparent approach

NetSecOPEN was founded in 2017 to provide a transparent, standards-based approach to security performance testing. Today, the non-profit, membership-driven organization is supported by many of the world’s leading security product vendors, test equipment vendors and testing laboratories. These organizations all agree upon a growing set of publicly available test methodologies with the first set of methodologies being fully ratified by the IETF.

The difference between the NetSecOPEN model and the traditional model embodied by NSS (now defunct; see the recent Dark Reading article for details) is that NetSecOPEN uses a community-based approach and openly builds on the work of others. For example, the IETF Benchmark Working Group defines how to measure bandwidth of a firewall and NetSecOPEN applies this to modern security solutions as they operate in realistic scenarios.

To be clear, NetSecOPEN was not specifically formed as an alternative to private organizations such as NSS. In fact, private testing companies such as EANTC and UNH-IOL are founding members of NetSecOPEN and are part of any company looking to have NetSecOPEN certification. NetSecOPEN was founded to deliver apples-to-apples performance tests that realistically portray the security capabilities and performance of equipment with tests that are open and collaboratively created.

And in the past few months, I have seen mounting evidence that there is momentum behind embracing the NetSecOPEN model. For example:

  • Since its founding in 2017, NetSecOPEN has become the leader in performance security testing.

  • NetSecOPEN has grown to 14 members, including Cisco, EANTC, Fortinet, InterOperability Laboratory, IXIA, Juniper, Palo Alto Networks, SE Labs, SonicWall, Sophos, Spirent, Trend Micro, VIAVI, and WatchGuard.

  • NetSecOPEN continues to expand and broaden its scope in network security testing and assessment, with specific direction set in collaboration with its members

  • The former CEO of NSS recently formed a new organization, CyberRatings.org, that “aims to provide a more open and inclusive source of security product assessments…”

Spirent is a founding member of NetSecOPEN and is deeply involved in ongoing efforts with the consortium on defining and developing this standards-based approach to assessing modern security solutions. This will become even more important as digital transformation moves more organizations to cloud based services and security. NetSecOPEN test methodologies are included in Spirent’s Security and Performance assessment solutions for vendors and users alike to do the same test plans from currently over 50 defined NetSecOPEN methodologies.

Spirent solutions were heavily used in this initial set of NetSecOPEN certifications and all the test plans are available in the Spirent CyberFlood assessment platform, allowing users to model NetSecOPEN tests in their own labs. Learn more about CyberFlood.

喜欢我们的内容吗?

在这里订阅我们的博客

博客订阅

Mike Jack
Mike Jack

Sr. Manager Security Solutions Product Marketing

Michael Jack is senior manager of Product Marketing of Spirent Communications’ applications and security solutions portfolio. With 20 years of working in the data communications industry and over 15 years working for networking test and measurement organizations. At Spirent Communications Michael works with the Product Management team to define, produce and deliver cutting edge Applications and Security testing solutions for Network Equipment Manufactures, Enterprises, and Services Providers. Michael has presented at numerous industry events and has worked in Product Marketing and Management capacities at a diverse number of networking companies including Thomas-Conrad, UB Networks, Newbridge Networks, Compaq, and Antara.