Oct 28, 2008

RSA Conference: Short-term impact of the financial crisis

Here at the RSA Security Conference 2008 in London's ExCel Centre. In a recent interview with netevents I was asked -
Q: "What's the long-term security outlook?"
A: Long-term it’s good for several reasons.
1. Vendors are constantly developing new and improved products.
2. Users are getting more awareness and practical security training.
3. Companies derive competitive advantages by connecting with suppliers, customers and partners. It's increasingly understood by business managers that 'networking stuff' is needed to make money. And thanks to compliance mandates like PCI DSS, security is getting more attention and funding. Or at least it was.

Short-term there’s an increasing danger secondary ripple effects of the financial crisis. IT Security organizations, and other cost centers, will likely be squeezed to invest less time, resources and finances on solving security problems. This would be a dangerous win for the bad guys, who could have weaker, poorer funded defenses to contend with.

Contrast this with the time when governments on both sides of the axis had a clear focus and funding for cryptographic technologies as a lever in the information warfare of WWII.

Oct 16, 2008

Why doesn't NSS Labs have a report on Product X?

Just because you don't see a product evaluation report on our website, it does not mean we have not evaluated the product. There are several possible scenarios:
  • NSS Labs is in process of testing the product. However, due to NDA and confidentiality reasons we cannot disclose whether or not we are testing a given product until the vendor decides to make it public.
  • The product vendor is waiting to release a new major revision before having it (re-)certified.
  • The product was evaluated by NSS Labs, but issues were found that the vendor opted to fix before completing the public certification.
  • The product simply has not yet been evaluated. NSS Labs operates meaningful and rigorous product testing. Not every vendor wishes to subject their product to this process.
NSS Labs makes every effort to involve product vendors in our tests. However, for various reasons, we cannot always secure their participation. Since you as a reader may not know which of the above cases is true, we recommend you inquire with the product vendor's PR or product management team.

Oct 10, 2008

How long is a product certification valid?

Recently we have been asked about some of our older product certification reports, whether or not they were still valid; what's changed, etc; some all the way back to 2001. So just how long is a product certification valid?

From an IT Security buyer's perspective, the question is really: how long after the certification does the product still offer similar effectiveness, performance and usability characteristics? How well do they still meet the essential criteria?
  1. Unlike static applications, security products with updates (signatures, heuristics, code, patches) change frequently in order to remain effective. (IPS products generally release new signatures on a weekly or daily basis. Antivirus products are becoming increasingly dynamic: last year Kaspersky was pushing hourly updates, and recently McAfee and Symantec have boasted 'real-time' updates.) Thus, a product could increase or decrease effectiveness significantly even 6 months out.
  2. Performance can change anytime the code is changed. Yes, even a 'little' maintenance patch can have pronounced effects on throughput, state tables, latency, etc. To be fair, the converse is true: a vendor could release a patch that improves performance. Oh, and the more signatures that are turned on by default generally consume more resources and thus negatively affect performance.
  3. Unfortunately, management capabilities don't change often enough. So if an interface is 'so-so', you can probably count on having to live with it for a while. Intuitive, easy-to-use interfaces is one of the underserved areas of security products.
These are all things that buyers should check on, whether it is in an NSS Labs report, or some other evaluation. The short answer (which I saved for last) is that a certification can be leveraged by a vendor for one major release cycle. These are generally 18 months long. Any new major release, and buyers should really ask for an updated report. Beware of certifications that are 2, 3, or even 4 or more years old.

Here's a little-known trick! Carefully scrutinize products that have not changed the major version number in a loooong time. Some vendors keep the same major version and modify minor numbers only for years on end in order to circumvent recertification requirements of painful things like common criteria.

NSS Labs does not withdraw certifications after an arbitrary period of time. Perhaps we should; some other labs do, and we could likely make more money to be blunt. Instead, we rely on vendor willingness to 'step up and show their mettle.'

Oct 8, 2008

Greasing the skids of commerce

"Commerce requires a meeting of the minds between buyer and seller, and it's just not happening. The sellers can't explain what they're selling to the buyers, and the buyers don't buy because they don't understand what the sellers are selling. There's a mismatch between the two; they're so far apart that they're barely speaking the same language." Bruce Schneier on the security industry.

Having been on both sides of the vendor-IT buyer fence, I can definitely relate to both parties frustration. In this vein, some have referred to NSS Labs reports as 'next generation sales collateral', bridging the gap between brochureware and a proof of concept test (and who has time, expertise and resources for all that anyways).

Oct 6, 2008

North American PCI Community Meeting

We just got back from the North American PCI community meeting. The turnout was about double compared to the 2007 meeting, with all the major QSAs and many name brand retailers and banks in attendance. and the SSC has clearly achieved quite a bit in the last year. Changes to the new PCI DSS version 1.2 were discussed, the first in-person Special Interest Group (SIG) meetings took place, and there were even about 40 vendor exhibits. Branden Williams, Director of the PCI Practice at Verisign, and I sat down and talked about some of the trends and changes in DSS 1.2 (watch the video).

The exhibits were a great opportunity to meet face to face with top technical representatives from these vendors and QSAs. And for them they got direct access to key influencers and decision-makers in the PCI community. Interesting note about the marketing banners, just about all claimed to have an easy PCI Compliance solution. Of course the practitioners know there is no magical "PCI Compliance Solution" and that it is more of a process or journey where the multiple layers of details cannot be avoided. But clearly some marketers are going for the standard easy benefit-oriented taglines, because after all, a marketer's goal is to get you to stop and listen. We heard a lot of merchants and card brands talking about the challenge of getting that next layer of information, which was a great segue into what NSS Labs does to validate vendor product functionality and specifically how it relates to PCI DSS.

Vik and I are serving as secretary for the Wireless Security SIG and I was honored to be able to address the community and provide an update of the SIGs activities. The goal of the SIGs is to make recommendations to the council, which will then review the recommendations, ask questions and render the final decisions. Without revealing too much, it is important to know that we are not taking a technology-centric approach that will make life harder for merchants. Rather, the SIG has decided to take a problem-oriented approach to the task, by focusing first on the problems we are trying to solve for specific groups of users. Very similar to the methods taught by pragmatic marketing. So, Level 3 & 4 merchants who believe they do not have wireless in their network would be one use case; Level 1 & 2s with known use of WiFi would be another. Of course there are many details, and there are sub-groups working on implementation guides and advanced technologies (like BlueTooth and Satellite). If you're a participating organization and would like to 'participate' drop me a line - rmoy AT you know where.