Industry Trends

Third Party Testing and the World of Network Security

By Michael Xie | April 04, 2014

There was a time in the distant past, before consumer protection agencies like the FDA existed, where regular people were completely reliant on companies and their marketing to inform them about medicines, drugs and other remedies available to cure their ails. A company could easily make remarkable and frankly incredible statements about the efficacies and performance of their products. People really had no way to objectively determine for themselves whether something actually worked or not... except for crossing their fingers and swallowing the pill for themselves. Snake oil "cures" were rampant.

In 1906, after the horrors of the meat packing industry were uncovered in Upton Sinclair's seminal work The Jungle, it was clear that things needed to change. The FDA was created and the Pure Food and Drugs Act became law. A mandate was given; rules and regulations were adopted. Standardized testing protocols were developed. Products were tested not only for how they worked and how effectively they worked, but also to determine if there were any dangers to the people using the products.

The system as it exists today has been very successful: for every drug that comes to market, there are untold numbers of other promising products that never make it out of clinical trials. As a result, in today's world the majority of people trust these processes and their doctors to recommend treatments that will assist them in getting better.

Looking at the world of cyber security, today we exist in a reality similar to the "Wild West" pre-FDA era. There are many security vendors out there that will tell you how fantastic their products are; how you will never be safe without their protection. It's modern day snake oil salesmanship at its best: brochures, data sheets and presentations are filled with woeful tales of attacks, theft and compromises as well as jam-packed with fancy words that you may not really understand. To them, marketing dollars spent are more critical than developing a culture of thorough and extensive product testing - both in the lab and outside of it.

Many customers don't have the means, manpower or specialized technical skills to really vet these fantastic claims - and far too often find themselves making a purchase based more on marketing sizzle than the actual merits of the product itself.

What's needed is an objective third party or organization whose sole purpose is to factually judge the merits of security products to determine how those devices actually function and perform. Groups like NSS Labs are leading the charge: standardizing tests and objectively reporting those results to people who want to know.

It's understandable that companies who don't perform against their peers as well as they'd hoped or expected to want to push back and criticize these results, but we don't believe this helps them - or the security business in general - in both the short or long term.

Fortinet is a strong believer in third party testing. We are always willing to put our products on the line against our colleagues and competitors in the security sphere... because to us, regardless of where we finish, we take the results and use them to create a better product.

And that is what we believe in at Fortinet: making a better product for our customers with every iteration and release.

Michael Xie
Chief Technology Officer, Fortinet

Join the Discussion