ICSA Labs report
In the book, Andrew and I wrote about trading data for credibility. If Verizon’s enthusiasm for sharing their learning is any indication, the approach seems to be paying off in spades.
At the Verizon Business blog, Wade Baker writes [link to http://securityblog.verizonbusiness.com/2009/11/16/icsa-labs-product-assurance-report/ no longer works]:
Today ICSA Labs (an independent division of Verizon Business) released a report based on testing results and observations taken during its 20-year history certifying security products. We mention it here because several members of this team worked with ICSA Labs to design the study, collect and analyze data (a non-trivial feat given the time span), and write the report. Although bookended by other information and recommendations, the bulk of the report hits on three main topics: how often product deficiencies occur during testing, which types occur most often, and what factors contribute to their occurrence. We hope readers will find the report helpful in their mission to protect information and useful to the decisions and deployments made in support of that mission.
The report is available here.
I’ve only had a chance to skim the report, but if I read table 2 correctly, “Percentage of products that eventually attain certification” seems to indicate that only 29% of network IPS systems make it through the wringer. If that’s the case, it’s time to get a signed statement from your IPS vendor.
Alex Hutton, who blogs here and manages a lot of this blog’s tech bits when he’s not fawning over a beautiful baby girl, may have contributed to the ICSA Labs report, and so wanted me to blog it.