Security Product Testing

CISOs - the Wild List isn't

noreply@blogger.com (Rick Moy) — Fri, 06 Nov 2009 21:11:00 +0000

In a Forbes article this week, Analyst Charlotte Dunlap outlines questions CISOs should be asking when evaluating anti-malware products. There's a common misperception about the 'wild list' and how meaningful it is. If you're buying antivirus products because they're certified by one of the organizations that uses the Wild List in its testing, you're not exactly referencing the most rigorous, meaningful standards.

The Wild List:
- contains a couple hundred virus samples (922 in August 2009 to be exact)
- contains only viruses, except a couple worms (Koobface and Confiker - and dozens of variants of the same), only added a couple months ago. There are no rootkits, trojans, downloaders, or spyware! Note: Trojans and downloaders are arguably the most prevalent initial infectors (exploits are another story)
- contains viruses that have been agreed upon by at least TWO antivirus researchers, who in almost all cases work for AV companies
- is generally 2-3 months behind emerging threats by the time folks agree
Now, this was a good idea back when there were a hundred viruses a month. But, the volume and complexity has outpaced the organization's ability to keep up, and has become less relevant.

In our opinion, the Wild List is NOT representative of threats on the Internet, and it is extremely biased based on sharing and narrow definition of scope. Should you be basing your purchasing decisions off of certifications that use it? (ICSA Labs, VB100, West Coast Labs)

Evading Anti-malware Products

noreply@blogger.com (Rick Moy) — Thu, 08 Oct 2009 07:57:00 +0000

Anti-malware products are not 100% effective, as evidenced by our recent anti-malware tests. In fact, some seem to be falling behind the bad guys.

Why? Because the bad guys are smart and aggressive. And remember, cybercriminals need only find one open door to get in, whereas defenders need to protect all the doors.

Cybercriminals are employing a plethora of techniques in a highly automated fashion to evade detection. Gunter Ollman and the Damballa team have written a nice paper explaining malware evasion techniques. These automated methods allow bad guys to create massive amounts of unique malware that can circumvent AV software. Popular techniques include using:
1. Crypters
2. Protectors
3. Packers
4. Binders
5. Quality Assurance
See the well-written paper for a more complete discussion. This is why AV products are having to evolve, and quickly.

Awareness Month

noreply@blogger.com (Rick Moy) — Tue, 06 Oct 2009 05:08:00 +0000

October has been national Breast cancer Awareness Month for the last 25 years. For the last 5 years, it has also been the national Cybersecurity Awareness Month. I don't know how these things get set, but it seemed to me there were a couple common threads going on.

Both are major problems for our society. One is a condition when cells replicate uncontrollably, the other a premeditated malicious digital attack. In 2009, there are 193,000 new breast cancer cases expected. My mother is a breast cancer survivor, thanks to early detection, great doctors and divine will. And we all likely know someone who is a cyber-security attack survivor: after all, there are 339 million victims of data loss and breaches (see: Data Loss DB and Privacyrights Clearinghouse).

When it comes to breast cancer, early detection is the key; there are even earlier technologies than the mammogram. But, what's the corollary for cybersecurity? Testing of course! Testing of our knowledge of threats and best practices. And testing of our defenses: whether individual products, or layered defense architectures and policies.

Unfortunately, there is far too little testing going on. Erecting defenses and not periodically evaluating their effectiveness is a far too common practice. Requirements of certain compliance regimes like PCI DSS are helping drive awareness and require at least some level of testing. However, there seems to be a common perception that you can 'set it and forget it.' For technologies like IPS and anti-malware that require constant updating, nothing can be further from the truth.

Are anti-malware products a commodity?

noreply@blogger.com (Rick Moy) — Mon, 21 Sep 2009 23:26:00 +0000

As any antivirus/security vendor will tell you: "No. we're not all the same. Mine is better." :-) Yet, in the Sept 2009 issue of Infosecurity Magazine, Forrester analyst Natalie Lambert suggests that all anti-malware products are essentially the same. "Generally speaking, antimalware is antimalware; what you get from one vendor is not much different than what you get from another."

It is perhaps understandable how one might believe this given all the marketing and the sheer difficulty in empirically discerning otherwise (but not really for an analyst). Much of the testing shows scores between 98 and 99%. And other long-standing organizations have essentially declared as much through their certifications. Dozens of products have achieved the Virus Bulletin VB100%(tm) award, and still others tout the Westcoast Labs Checkmark(tm) certification as a moniker of distinction. And ICSA Labs has certified 52 antivirus products to be up to snuff. So they must all be great, right?

Wrong. This is where real-world independent testing comes in that actually measures meaningful differences, like proactive protection (keeping malware off the machine), time to add protection, and protection over an extended period of time. In our recent Group Test of corporate and consumer endpoint protection products using our Live Testing methodology, we found a dramatic stratification of products' abilities to stop socially engineered malware (the kind that tricks users into clicking 'download and run'), currently the largest infection vector. Here are some key findings from the consumer report:

Proactive 0-hour protection ranged from 26% to 70%
Overall protection varied between 67% and 96% (over the course of 17 days of 24x7 testing)

Given such vast differences in real-world effectiveness, what value are these certifications anyways? In our opinion, not much... The threatscape has accelerated and some vendors are adapting faster than others. Unfortunately, testing was not adapting, resulting in a huge gap in trusted, real-world knowledge. The ensuing false sense of security creates greater risk for companies and consumers. We are filling that hole by delivering data based on our Live Testing methodology.

Since we performed these tests on our own, without any vendor funding, we are selling the group test of corporate endpoint protection products. See all the anti-malware product reports.

Which products we tested:

AVG Internet Security, version 8.5.364
Eset Smart Security 4, version 4.0.437
F-Secure Client Security version 8.01
Kaspersky Internet Security 2010, version 9.0.0.459
McAfee VirusScan Enterprise:8.7.0 + McAfee Site Advisor Enterprise:2.0.0
Norman Endpoint protection for Small Business and Enterprise
Sophos Endpoint Protection for Enterprise - Anti-Virus version 7.6.8
Symantec Endpoint Protection (for Enterprise), version 11
Panda Internet Security 2009, version 14.00.00
Trend Micro Office Scan Enterprise, version 10

What % of threats do you expect your anti-malware product to stop?

noreply@blogger.com (Rick Moy) — Sat, 05 Sep 2009 23:20:00 +0000

We are about to publish a new round of anti-malware testing data and would like to compare perceptions with reality. I'm expecting some interesting results to say the least.

7 simple questions here:
http://www.surveymonkey.com/s.aspx?sm=oiGBnkYL3i_2bBTEE4P24QNA_3d_3d

Thanks for your help

Q3 2009 Browser Security Tests Published

noreply@blogger.com (Rick Moy) — Fri, 14 Aug 2009 05:33:00 +0000

Today we published our 2nd round of live browser security tests. Two separate tests measured protection against phishing and socially engineered malware across 5 browsers: Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, Opera 10 Beta and Windows Internet Explorer 8.

A key take away is that while the other browsers maintained or decreased protection between the two tests, Internet Explorer continued to improve its protection against cybercriminals.

Socially engineered malware is the most common and impactful threat on the Internet today, with browser protection averaging between 1% and 81%. Internet Explorer 8 caught 81% of the socially engineered malware sites over time, leading other browsers by a 54% margin. Safari 4 and Firefox 3 caught 21% and 27% respectively, while Chrome 2 blocked 7% and Opera 10 Beta blocked 1%.

Phishing protection over time varied greatly between 2% and 83% among the browsers. Statistically, Internet Explorer 8 at 83% and Firefox 3 at 80% had a two-way tie for first, given the margin of error of 3.6%. Opera 10 Beta, exhibited more extreme variances during testing and averaged 54% protection. Chrome 2 consistently blocked 26% of phishing sites, and Safari 4 offered just 2% overall protection. Firefox 3.5 crashing issues prevented it from being tested reliably.

The full text and analysis of these and other reports on browser security can be found at http://nsslabs.com/browser-security.

NSS Labs live testing methodology represents an accurate, real-world testing that can be performed on information security products.

- Newly discovered malicious phishing and malware sites were added to the test, which repeated every four hours 24x7 for a minimum of 12 days

- All five browsers tested URLs simultaneously

- All sites were validated before, during and after via multiple methods

Google Drives Security Topics in the Media

noreply@blogger.com (Rick Moy) — Tue, 04 Aug 2009 05:40:00 +0000

At Blackhat 2009 in Las Vegas there was an interesting panel discussion with some very seasoned journalists who cover the security market. The question came up: "How do you [journalists] decide which topics to cover?"

The answer included the expected: they rely on contacts, relationships, identifying trends and major news. But, almost all of the agreed on this: Google influences the news. Google traffic, page views, etc. Editors are business people too. And the more viewers the more the property is worth to advertisers. Thus, when Paris Hilton's cell phone gets hacked, or another star's twitter or facebook account are compromised, this counts as top news. People want to read it.

Similarly, the panel agreed there was a focus on the 'bad news'; the discovery of a vulnerability or exploit against a popular service or product. It was difficult for journalists to cover the solutions or positive trends as this would come close to promoting products, it was argued.

Endpoint Protection Group Test Started

noreply@blogger.com (Rick Moy) — Thu, 25 Jun 2009 23:56:00 +0000

NSS Labs is continuing its testing of anti-malware products and has started its first group test of endpoint protection products. We are testing the ability to protect against socially engineered malware downloaded from the web. This is a continuous live test that will measure time to protect, and average protection over time. All systems are connected to the live internet and subjected to actual downloads of actual, fresh malware every 4 hours over a period of 12 days.

Both consumer and corporate products are being evaluated. Stay tuned for more information or contact me with any questions (rmoy).

Two acquisitions in two weeks!

noreply@blogger.com (Rick Moy) — Wed, 20 May 2009 01:40:00 +0000

Within the last 2 weeks, two young companies that NSS Labs did independent certifications on were acquired. ThirdBrigade, which makes Host Intrusion Prevention Software (HIPS) was acquired by TrendMicro, one of the major antimalware vendors. This product filled a server-side gap in their product line.
Solidcore Systems, which makes memory firewall/application white listing products, was acquired by McAfee. The #2 antimalware vendor cum security vendor has added whitelisting to its billion dollar portfolio of antimalware, vulnerability and intrusion prevention products. In Q3 of 2008, NSS Labs had evaluated and certified the S3 Control Embedded product as NSS Approved for Host Malware Protection.
In a down economy, strong vendors go shopping for technologies to round out their product lines so they're in positions of strength when the buyers recover. Note, even with all the cost cutting and layoffs, there's always money left for strategic purposes. And if you're a CEO who is going to make a purchase in this economy, there's not much room for forgiveness. So, you can bet they did their homework on all sides: technology, sales execution, management, margins, balance sheet, etc. I'm pleased NSS Labs was able to help these young companies grow their businesses and wish them well in the next stages of their evolution.

NSS Awards First Gold in 5 Years

noreply@blogger.com (Rick Moy) — Fri, 15 May 2009 21:27:00 +0000

Yes, it's true. After a long 5 years of waiting for the next great product, at RSA Conference 2009 this year, we bestowed the prestigious NSS Labs Gold Award to IBM/ISS for it's Proventia Network IPS GX6116. IBM's was the first IPS to pass our new requirements for Gold, including the monthly recurring Security Update Monitor (SUM) program testing.

The GX6116 scored an average of 98.6% over the 3 consecutive months of testing. This new recurring testing program ensures that vendors are keeping up with current threat protection levels as advertised. Each month our engineers add new attacks to the test set according to our modified CVSS ranking of enterprise-relevant vulnerabilities. Unlike other tests, the vendors do not know which exploits will be used in this blind test. So 98.6% is pretty impressive. Most other products don't do nearly as well.

Also to be commended is the 8Gbps of real-world throughput achieved by the GX. Certainly, the IBM team worked hard and should be proud of their accomplishments on this rigorous test program. Here is Brian Truskowski, General Manager of IBM/ISS, accepting the NSS Gold Award; and his team: Dan Holden, John Pirc, Eric York, Greg Adams.

IBM isn't the only participant in the program. You can look forward to monthly testing from McAfee as well (coming soon).

Live Testing, web malware and assumptions...

noreply@blogger.com (Rick Moy) — Tue, 31 Mar 2009 23:54:00 +0000

NSS labs just uploaded the video archive of the Live Testing Webinar we did on 3/31. This was a webinar with live Q&A as a follow up to the initial browser security test report we performed on 6 different web browsers' ability to block socially engineered malware. As we roll out this new test methodology we wanted to give readers a deeper, interactive look into the testing process. There were a few questions from readers about how we did it, why it's more relevant than static or 'in-lab' dynamic testing, and how to interpret the different measurements, etc.
Interestingly we are hearing from two different camps. A few bloggers/journalists are finding their assumptions challenged about their favorite programs; "how can that be?" Meanwhile, 'hard core' security researchers are telling us they are glad to see more comprehensive empirical validation of some of their own data points. Regardless of whether your assumptions were validated or challenged, the data can now drive the conversation - and future research.

CBS News covers Socially Engineered Malware

noreply@blogger.com (Rick Moy) — Mon, 30 Mar 2009 04:15:00 +0000

The lead story tonight on CBS News' 60 minutes show was about socially engineered malware pushed by cyber gangs. One can see a good example of how users are tricked into clicking on links sent to them from supposed friends via social networking sites. Symantec's Steve Trilling also explained the workings of the Confiker worm and a keylogger trojan to the CBS anchor, Leslie Stahl. Very timely given the upcoming April 1 'trigger date' for Confiker. NSS Labs of course recently published a report on socially engineered malware testing we performed in early March.

web browser security study - socially engineered malware

noreply@blogger.com (Rick Moy) — Thu, 19 Mar 2009 21:36:00 +0000

NSS Labs just released a study we did on 6 leading web browsers' ability to stop socially engineered malware attacks. We tested Safari, Chrome, IE7, IE8, Firefox and Opera. This is extremely relevant today since the majority of malware is currently being delivered via the web. Trend Micro research puts it globally at 53%, dwarfing email at just 12%. Oh how times have changed.

Read the full report here: http://nsslabs.com/anti-malware/browser-security

Also notable, this was the industry’s first live test of fresh malware sites. We pulled thousands of URLs off the web in real-time and fed them into 6 different browsers (84 unique machines) every 2 hours. A lot of work went into building this test harness and you'll certainly be hearing more about it shortly. Also keep in mind, while the highest score was Microsoft at 69%, this is nothing to sneeze at. All of the sites were extremely fresh, and the time between detection on the web and testing in the harness was between 30 minutes and 2 hours. Compare this to a VB100, ICSA, West Coast or other wild-list type test where the malware is generally 2+ months old. Our new Live Testing model yields a much more real-world assessment of anti-malware detection rates.

As far as the results, we were pleasantly surprised at just how well IE8 did. Browsers, and IE8 in particular, are becoming a viable extra layer of security on top of anti-malware/endpoint protection.

Note: NSS Labs developed the test methodology and infrastructure independently. Microsoft provided funding.

First 10Gbps IPS certification: McAfee M-8000 receives NSS Labs Approved

noreply@blogger.com (Rick Moy) — Fri, 23 Jan 2009 20:31:00 +0000

10Gbps:
NSS Labs just released the first 10Gbps IPS certification as part of our 10Gbps IPS group test. A number of vendors are offering 10Gbps appliances: Juniper, McAfee, Enterasys, Force10, Sourcefire. McAfee's M-8000 was the first to pass our extensive testing and receive certification. In addition to meeting the rigorous performance requirements, the product scored exceptionally well on the security effectiveness testing. Read the full report here.

Still other vendors are taking the solution approach by including a load balancer and multiple IPS devices. It should be noted, these could use any reasonable switching approach to stack/VLAN multiple physical IPS devices into one logical unit. Think of products from the likes of: IBM, Cisco, Crossbeam (Chassis/Blade), Sourcefire, TippingPoint, TopLayer, etc. Depending on what a company already has installed, and what their growth/infrstructure plans look like, this model could also work well. It will come down to a TCO and effectiveness decision.

It should be noted that this was an award that was a long time in the making since we announced the testing in the summer of 2008; and many vendors had announced products well before that. Indeed there are many reasons why it takes so long. #1 - It's hard to get right. It is not necessarily easy for a vendor that has a 'successful' 1Gbps IPS to deliver the same quality product that truly meets 10Gbps requirements. We just held a technical webinar on the topic of 10Gbps IPS. We covered the challenges that vendors face when making a 10 Gbps IPS, as well as those faced by buyers who are evaluating these products. The webinar is recorded and available here. I was pleasantly surprised to receive several comments that this was the "best webinar ever," and very informative. If you don't have time to listen to the webinar, you can probably at least peruse the slides.

As we've seen in our testing, there are plenty of gotchas to look out for. And for this large and complex of a purchase, most of the potential buyers do NOT have the capabilities to adequately evaluate and test such a product. In such cases it should really behoove the vendors who have done a good job to have their products validated by a competent 3rd party. So be sure to ask your vendor what kind of testing and certification the product has gone through. (OK, somewhat of a trick question: I must confess I don't know of any other lab capable of doing the level of testing that we do, either in terms of throughput or security ;-)

/rick

The value of "reviews" just went down another notch

noreply@blogger.com (Rick Moy) — Wed, 21 Jan 2009 06:40:00 +0000

Belkin is today's unfortunate poster child of dishonest marketing, the euphemistic "putting lipstick on a pig".

When I began my career in IT, a while ago, I relied on user reviews to provide me with some guidance. Which products were better than others, more reliable, faster, etc. The world of user-based reviews has slid a long way. Apparently a sales rep at Belkin had been hiring people on the internet to flag negative reviews of his products as "unhelpful" and post positive ones. There are plenty of other journalists and bloggers lambasting the guy, and the company president for denying and then brushing over the transgression. Amazingly, the employee still has his job. PC World covers the pandemic further here.

Folks: This is why a trusted independent 3rd party is so important when it comes to getting good advice about products. The financial motivations for individuals with a sales quota and a boss to please, or companies with investors to show returns for can be tempted to cross the line. "users" can be anyone, write anything, and have almost absolute anonymity, and no accountability. Reviews can be written in such a way that they are generic enough to apply to any product, allowing them to spam such services that host reviews. This "review SPAM" (can we coin RSPAM now?) can appear on any magazine site, or portal, regardless of how trusted the mother brand may be.

To reach back to a 1990's cartoon that has new meaning here, on the internet, you just don't know which reviews are dogs.

Webinar: 10Gbps Intrusion Prevention

noreply@blogger.com (Rick Moy) — Thu, 08 Jan 2009 02:34:00 +0000

Are 10Gbps network IPS products mature enough for deployment? Depends... Join our upcoming webcast to find out why 10Gbps IPS is more than 10 times more difficult to get right than 1Gbps IPS. NSS Labs' Vik Phatak will also walk through a checklist of criteria to look for when evaluating products. We'll also give a behind the scenes look at how we implement our industry standard IPS test methodology using products like BreakingPoint.

You can also look forward to some real experiences culled from our 10Gbps IPS group test. The first results forthcoming end of January 09 and the full report end of Q1.

Which endpoint protection products stop IE Exploits?

noreply@blogger.com (Rick Moy) — Mon, 22 Dec 2008 12:45:00 +0000

During the week of Dec 15-18, NSS Labs conducted a series of tests of popular anti-malware and endpoint protection products to evaluate their ability to protect clients from exploits targeting the IE vulnerability. The results are somewhat surprising, showing a broad lack of protection from current enterprise products. Admins are advised to read this and address any gaps ASAP.

Tested antivirus/anti-malware/endpoint protection products include:

AVG Internet Security Network Edition v8.0
Kaspersky Total Space Security v6.0
McAfee Total Protection for Endpoint
Sophos Endpoint Security and Control v8.0
Symantec Endpoint Protection 11.0.2 MR2
Trend Micro Officescan 8.0 SP1 R3

Read the report here.

Exploits vs Drive-by Downloads

noreply@blogger.com (Rick Moy) — Mon, 22 Dec 2008 08:11:00 +0000

What's a "drive-by download" anyways? Recent discussions and the flurry of media articles about the recent Microsoft Internet Explorer vulnerability have given rise to some discussion. So, we at NSS Labs decided to provide this clarification of exploits vs drive-by downloads in response to some research and discussions we've had with a number of end-users and vendors. Our recent research into the Internet Explorer exploits revealed that some vendors and enterprises were not 'framing' the problem properly.

The "drive-by download" is the result of a successful exploit. It is worth noting that the exploit could have executed any arbitrary code, including returning a shell prompt, deleting or encrypting files, etc. But, more likely than not these days, the perpetrator prefers to go unnoticed so they can continue to leverage the newest memeber of their botnet in their quest for world domination. So, more frequently we see keyloggers, trojans, and other 'quiet' culprits. Come to think of it, drive-bys are usually pretty noisy with all the shooting and screeching of tires and such.

So, when vendors and end-users talk about the "download" it can unduly shift the focus towards the result and away from the cause. There are very few exploits compared to hundreds of thousands of pieces of malware. And the exploits are easier to detect - if you are looking in the right place... Network IPS and Host IPS (which can be part of an endpoint protection product) are two great solutions.

Exploits vs Drive-by Downloads.

Microsoft IE7 zero day exploit - patch released

noreply@blogger.com (Rick Moy) — Thu, 18 Dec 2008 00:39:00 +0000

Today, just 7 days after the discovery of a critical zero-day exploit in Microsoft's popular Internet Explorer (see Microsoft Security Advisory 961051), Microsoft has released its analysis and a public patch via various Windows Update services.

We at NSS Labs has been following this closely, as live exploits have been circulating and growing rapidly, reaching more than 10,000 infected sites (TrendMicro). There are different implementations, including java script and ActiveX that exploit the XML parser in IE versions 5.01 through IE8 beta 2. See the official description and analysis from Microsoft MS08-078 for a complete list of affected versions and systems. And on the more interesting side, HD Moore at BreakingPoint Systems describes his analysis.

IBM’s Proventia Server for Windows v2 passes NSS Labs PCI Suitability Testing

noreply@blogger.com (Rick Moy) — Mon, 15 Dec 2008 09:11:00 +0000

IBM’s Proventia Server for Windows v2 has successfully passed NSS Labs’ PCI Suitability testing for Host Intrusion Prevention Systems (HIPS). The security effectiveness of Proventia Server for Windows 2.0 was excellent. NSS Labs tested the product on numerous Windows platforms, and a wide range of applications. Proventia Server for Windows 2.0 detected and blocked a total of 64 exploits (98.5%) – all of which were Attacker Initiated. Support for PCI DSS requirements was excellent. Overall, out of 58 tested requirements, the product supports 57 (98%).

Read the complete report on IBM's Proventia Server

"Strategic" solutions vs. "pure play"

noreply@blogger.com (Rick Moy) — Thu, 20 Nov 2008 01:51:00 +0000

Vik Phatak of NSS Labs discussed the impact of running IPS within a router in this Network World article about integrated security.

Gartner lists NSS Labs certification as criteria for Magic Quadrant

noreply@blogger.com (Rick Moy) — Tue, 18 Nov 2008 07:45:00 +0000

In case anyone is wondering what the value of an NSS certification is, Gartner has recently recognized the value of NSS Labs certifications by adding them to the short list of criteria for products to achieve ranking in the coveted Gartner Magic Quadrant for Network IPS. NSS Labs pioneered the Network Intrusion Prevention Systems (IPS) standards and test methodologies as early as 2002, and these are globally recognized as the de facto gold standard for the industry. 3rd party testing such as NSS Labs group test certification is an important measure of product quality, which carries the highest weighting of all the evaluation criteria.

The fact that NSS was listed before Common Criteria was probably not accidental. The difference between the two evaluations is significant; NSS evaluates real-world security effectiveness and performance, whereas CC primarily evaluates the processes used to create a product.

Note:NSS Labs has completed a number of network IPS product evaluations this year on products from IBM, Juniper and others and are currently performing the industry's only 10 Gbps IPS group test.

We hear time and again from information security managers and CISOs that our reports are helping them make informed decisions that they couldn't make with less rigorous evaluations. Such acknowledgement makes what we do all that more rewarding. On behalf of all the staff and engineers at NSS Labs, I'd like to thank the gentlemen at Gartner for acknowledging the efforts of our product analysts.

P.S. We don't plan to stop at IPS...

Test in the "ether"

noreply@blogger.com (Rick Moy) — Mon, 03 Nov 2008 05:15:00 +0000

We at NSS Labs work pretty hard testing network, host and other information security products. Gruelling but rewarding work. Sometimes we get to have a little fun as well, like this recent "Air-Test."

RSA Conference: Short-term impact of the financial crisis

noreply@blogger.com (Rick Moy) — Wed, 29 Oct 2008 03:18:00 +0000

Here at the RSA Security Conference 2008 in London's ExCel Centre. In a recent interview with netevents I was asked -
Q: "What's the long-term security outlook?"
A: Long-term it’s good for several reasons.
1. Vendors are constantly developing new and improved products.
2. Users are getting more awareness and practical security training.
3. Companies derive competitive advantages by connecting with suppliers, customers and partners. It's increasingly understood by business managers that 'networking stuff' is needed to make money. And thanks to compliance mandates like PCI DSS, security is getting more attention and funding. Or at least it was.

Short-term there’s an increasing danger secondary ripple effects of the financial crisis. IT Security organizations, and other cost centers, will likely be squeezed to invest less time, resources and finances on solving security problems. This would be a dangerous win for the bad guys, who could have weaker, poorer funded defenses to contend with.

Contrast this with the time when governments on both sides of the axis had a clear focus and funding for cryptographic technologies as a lever in the information warfare of WWII.

Why doesn't NSS Labs have a report on Product X?

noreply@blogger.com (Rick Moy) — Thu, 16 Oct 2008 23:14:00 +0000

Just because you don't see a product evaluation report on our website, it does not mean we have not evaluated the product. There are several possible scenarios:

NSS Labs is in process of testing the product. However, due to NDA and confidentiality reasons we cannot disclose whether or not we are testing a given product until the vendor decides to make it public.
The product vendor is waiting to release a new major revision before having it (re-)certified.
The product was evaluated by NSS Labs, but issues were found that the vendor opted to fix before completing the public certification.
The product simply has not yet been evaluated. NSS Labs operates meaningful and rigorous product testing. Not every vendor wishes to subject their product to this process.

NSS Labs makes every effort to involve product vendors in our tests. However, for various reasons, we cannot always secure their participation. Since you as a reader may not know which of the above cases is true, we recommend you inquire with the product vendor's PR or product management team.