Standardization and the security appliance
I was lucky enough to attend the RSA Conference this past February in San Francisco. This gathering boasts one of the largest collections of computer security vendors under one roof in the world today. A rather handy one stop shopping venue, if you are in the market for a new firewall, intrusion detection system, or the latest technology; the intrusion prevention system. The competition from the various vendors to get the delegates attention was understandably fairly fierce. It almost felt like being at a carnival with the carnies crying out the virtues of their stall. Only in this case the virtues being extolled from various vendors were for some rather high priced products.
For some strange reason this prompted a memory of when I used to work in the home alarm security industry. We sold burglar and fire alarm systems with monitoring to home owners, businesses, and various embassies. What struck me though was that all the various elements of the home security business had one thing in common. All of the hardware components conformed to the ULC criteria set out for it. Having this common body doing a certain degree of certification surely helped the homeowner or business be a little more at ease. They knew that at least there were certain criterias being met for that specific piece of gear for which a lot depended upon. If it did not then it would not have that ULC label on it certifying that it had met its minimum specifications. This is a large part of the reason that your home insurance company will offer you a discount if you have a home security system that is monitored.
Remembering this I thought that it was probably about time that a similar type of certification body appear for the various computer network security appliances. There is a dizzying array of appliances out there today, which will address almost every security concern. Problem is that the vendors are all touting that they can accomplish this performance benchmark or task for you. There would be little point in a vendor making outright falsifications about their wares, but it would surely be nice to have them ascertained to a certain degree by an independent source. With such a body in place to do these benchmark tests, at least you, the buyer, would be safe in making certain assumptions, due to an appliance meeting a certain baseline criteria. Such a certification body would by design have to be a "not for profit" entity, or else their certification could come under scrutiny, for being vendor biased in some way.
Personally speaking, I have conducted product evaluation reviews for various vendors and their products. This to me spoke volumes about that vendor's seriousness and, to an extent, their integrity. It only makes good business sense that a vendor would want to have independent verification of their product claims. Having such vendor performance claims corroborated by an independent body would greatly enhance its credibility in the eyes of potential buyers. After all, having a product evaluation done is not cheap, but it will allow for extensive and complex testing of that product by an objective third party. It is all too easy for a vendor to get tunnel vision when it comes to their products effectiveness. Several times in the past year I have been contracted by a client to do an impartial review of security appliances they were contemplating purchasing. This made perfect sense to me as my client was willing to spend six figures on a vendors products. It only made sense to invest in my services then, to make sure they performed as advertised.
Let's take, for example, Microsoft who we all know to be a very rich corporation. Yet as we all know there is a never-ending parade of flaws attributed to their product line. Such established products like Internet Explorer continue to yield a treasure trove of vulnerabilities. Microsoft has some very talented individuals working on their security team, but would it not make sense to have them contract out for independent code reviews? From what I understand this has started to happen with them obtaining the services of some high profile talent.
There is an immense amount of code that goes into creating a security appliance such as an IDS or IPS. The possibility of buffer overflows or format string attacks against such a product management interface is a very real possibility. Buying such a product is very much a necessity in today's complex and hostile computer environment. Problem is though, how do you know you have not just added another attack vector into your network via that brand spanking new IPS you just bought. You would be very much wrong to think this has not happened before. All you need to know is that there have been exploitable problems associated with Snort. These exploitable problems were fixed quickly by Marty Roesch and company, but serve to highlight the very real problem that a security appliance can itself introduce into a network that it is there to protect.
While these issues may not occur to the average person contemplating such a purchase, it probably is to someone who is in charge of a high assurance network. Should your company be a publicly traded one then your shares could very much rise and fall based on a network breach. This is even of more concern to those companies residing in states that have mandated disclosure if they should suffer an integrity loss of their computer based customer data. With the computer security landscape becoming more migratory for its highly skilled workers, it makes even more sense to have some security appliance in place. After all, your employee of today may very well be gone tomorrow for a better paying offer. While they may be gone, at least your equipment will still be in place functioning.
Bearing all of this in mind it seems logical to me that it is time for a certification body to come forth and address some of these problems. While such a body cannot realistically perform in-depth code audits on these security appliances it can certainly stress test them. It would not take long for a group of talented individuals to come up with a battery of tests for the various categories of security products out there today. An argument could be made that this would just be another money grab, but I for one would argue that it would help legitimize, if you will, the computer security appliance industry. At the very least it would benefit the purchaser of such products, many of whom do not have a highly technical background. Bottom line is that anything which helps the consumer is a good idea indeed. Lastly, it would probably also benefit the vendor in so much as they would not have to pay for a pricey product review to independently corroborate their product from a person such as me.