Reducing Conflict of Interest in Third Party Security Testing Validations/Certifications (Y32a)
There is a problem with the security product testing paradigm. Currently, most formal IT security product validations/certifications are financed by the product vendor and not a sponsor. The economics of the vendor financing the testing is understood but this puts the laboratory and its testers in a conflict of interest with pressure from the vendor to complete the testing rather than it being done as best as it can be. Accreditation of laboratories, good oversight from validation/certification authorities, and the integrity of testers and laboratories counters some of this pressure but money still runs the world. Is there a better way to ensure the expected security functionality is implemented correctly to the needed level of assurance?
This presentation will discuss this conflict of interest and examine the current approaches to ensure the integrity of the testing. The presentation will recommend different ways to ensure laboratories are not unduly influenced by vendors including, but not limited to, purchaser sponsorship and validation/certification authorities ensuring that their oversight procedures do not exacerbate the pressure on laboratories to rush testing.