Mar 16, 2011

What's your next browser?

Web browsers have become the new killer app - serving as the platform for accessing our favorite personal and business applications in the cloud. As we've discussed previously on this blog and in our research, web browsers, and more often their plug-ins, represent significant vulnerability risks to individuals and organizations. This week we find ourselves in a unique point in time, when several major browser upgrades have been released (or are imminently upon us): Chrome 10, Firefox 4, Internet Explorer 9, Opera 11, Safari 5.

Many of the key enhancements include:
- rendering and standards compliance
- security and privacy, including 'do not track' provisions
- javascript and graphics performance acceleration
- 'enhanced' user interfaces

Which one will you upgrade to?

Mar 9, 2011

Why you need to Test it like a hacker!

Some tests you don't want to be too hard. Like those we take in school that we don't think will mean too much to us in life later on. Say, for some it's abstract poetry of the middle ages, basket weaving in the precambrian era, etc. For these you just want to get by, so when an easy test comes along, the tested party generally breathes a sigh of relief.

In contrast, some tests are hard for our own good. Physical endurance tests before summiting Mt. Whitney or K2. Crash tests of car safety equipment like seat belts, air bags and brakes. You really want to make sure those things work as advertised so they'll function when you need them.

So it is with enterprise security testing, and security product testing in particular. In a world where virtually every antivirus (antimalware) or endpoint security product is 'certified' by two or three different labs, one would think they're all equally good. And especially if they've got a certification from the government, right? Dead wrong. They've all been 'certified' because they've been able to figure out how to pass the test, or because the test is not hard enough, not necessarily survive the crash.

In our experience, there's rarely such a thing as 'too hard' of a test. In order to know how well a product will defend you, you've got to TEST IT LIKE A HACKER. You need to subject the products in your environment to the same stress and attacks that they will face against motivated, persistent adversaries sometimes even using advanced techniques. After all, fixing problems before a breach is always much less expensive than cleaning up the mess afterwards.

As more and more high-profile breaches are disclosed, securing our intellectual property and assets is no longer just a technical issue. NSS Labs makes a lot of its security research and educational content available for free. I encourage you to browse some of the results to find out more.

Mar 2, 2011

Redefining the security gateway

This week I'm at the Pacific Crest Emerging Technologies Summit in San Francisco. And security is hot.

Apparently, enterprise IT buyers are not the only ones interested in information security products. Investors - institutional, hedge funds, private equity, etc - are all trying to read the tea leaves of the marketing soup being slung by security vendors. It's a stark contrast to the crowds at BlackHat and Defcon. These investors want to understand which companies will outperform or under-perform their competitors in the marketplace. While they clearly posses great knowledge about the financials of these companies, several are admittedly struggling to understand the technology table-stakes and differentiators required to compete. Increasingly, they're realizing they need to understand the security tech a little better in order to formulate and justify their investment thesis. I'm fielding questions like: Why do we need new security gateways? What is application control about? How are enterprises buying/using the technology? Can opensource security compete? Which approach will win? Which companies have products vs. platforms? With 20 to 40 competing companies in security market segments, surely not all of them can 'perform' and survive long term as stand-alone entities.

In a few hours I'll be tackling some of these questions on a panel with some of the leaders in network security - Barracuda, Fortinet and Sourcefire. This should be a good debate, and we'll have to follow up with some of those larger players who aren't represented, like Check Point, Cisco, HP/TippingPoint, IBM/ISS, Juniper.

RSA update

Like most, I'm recovering from the annual pilgrimage to the RSA conference in San Francisco two weeks ago. As usual, it was a great mecca in which to reconnect with friends, clients, business partners and new folks in the community. I'd especially like to thank all the supporters in our enterprise and vendor advisory boards. The NSS team is grateful for getting 60 of the busiest people in the biz to actively participate in discussions about how to improve information security through testing. It’s a topic that’s garnering momentum. I thank all of you for your input and suggestions on how we can improve and continue to deliver meaningful, actionable information services.

What are your priorities and concerns for 2011? Let us know and you could win a $100 AMEX card. Respondents will receive complementary access to the research results. Take the survey.

New Research
  • We have a number of endpoint protection platform (EPP) and network security reports we are rolling out, including EPP evasion, multi-vector attack protection, next generation firewall (NGFW), and firewall (FW). There will be a subsequent post on each of these.
  • We have been busy coordinating remediation of an important security issue with a number of firewall vendors. Stay tuned for the full report.
  • As Anti-malware continues to fail to protect endpoints, we have been investigating alternatives such as application control (application whitelisting), and secure browsing. While much of this has been performed for private clients in the financial services industry, we are gearing up for a proper group test of these technologies in Q2. Vendors, submit your products. Enterprise buyers, let us know what challenges you’re facing, your criteria and experiences. Contact us

Also New from NSS Labs
  • We rolled out a new video explaining the use cases for our services and how we can help organizations make informed infosec decisions.
  • We also have new collateral which goes into greater detail. See the services overview, or dive into our
  • Finally, NSS is actively expanding to meet the demands of our growing Fortune 2000 client base. If you’re a talented, hands-on infosec professional who understands the value of testing and ethical hacking, and is passionate about improving information security, we should talk. Contact us about career opportunities.

Mar 1, 2011


Google Blogger seems to be having issues, along with some other Google Apps, like mail. Check the dashboard.