Shostack + Friends Blog Archive


ICSA Labs report

In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades.

At the Verizon Business blog, Wade Baker writes [link to no longer works]:

Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results and observations taken during its 20-year history certifying security products. We mention it here because several members of this team worked with ICSA Labs to design the study, collect and analyze data (a non-trivial feat given the time span), and write the report. Although bookended by other information and recommendations, the bulk of the report hits on three main topics: how often product deficiencies occur during testing, which types occur most often, and what factors contribute to their occurrence. We hope readers will find the report helpful in their mission to protect information and useful to the decisions and deployments made in support of that mission.

The report is available here.

I’ve only had a chance to skim the report, but if I read table 2 correctly, “Percentage of products that eventually attain certification” seems to indicate that only 29% of network IPS systems make it through the wringer. If that’s the case, it’s time to get a signed statement from your IPS vendor.

Alex Hutton, who blogs here and manages a lot of this blog’s tech bits when he’s not fawning over a beautiful baby girl, may have contributed to the ICSA Labs report, and so wanted me to blog it.

2 comments on "ICSA Labs report"

  • alex says:

    I didn’t contribute, but it came from my company and people on my team. It was really all Dave Hylender and George and Wade. Also, I don’t want to write about my work stuff here, if only to maintain a high degree of blog integrity.

    RE: Integrity There are some, of course, who would suggest it’s tough to lose what you don’t already have 🙂

  • Adam says:

    That must be why I was confused. 🙂

Comments are closed.