STE WILLIAMS

NSS Labs has thrown a hand grenade into the always fractious but slightly obscure world of security product testing – by suing multiple vendors as well as an industry standards organisation.

Its lawsuit, filed in California this week against CrowdStrike, Symantec, ESET, and the Anti-Malware Testing Standards Organization (AMTSO), has alleged no less than a conspiracy to cover up deficiencies in security tools.

These vendors not only knew of bugs in their code and failed to act, but they were “actively conspiring to prevent independent testing that uncovers those product deficiencies,” NSS Labs claimed. The lawsuit hopes to illuminate bad practices that harm consumers, Vikram Phatak, chief exec of NSS Labs, claimed in a statement.

At the heart of the matter, NSS labs has accused the named security vendors of forging a pact to collectively boycott NSS – an independent test lab. Why? Well, if one of them avoided a test all others participated in then it looks bad, but if there’s a collective “no thanks,” then any opprobrium is avoided.

The charge is serious: vendors have come up with a scheme to avoid tests that may expose vulnerabilities they’d rather not have to invest in repairing, never mind the negative PR backlash from poor results. AMTSO – which aims to establish standards for fair testing – is allegedly “actively preventing unbiased testing” and facilitating this bad practice. In addition, Crowdstrike and other unnamed vendors have clauses in their user contracts that prohibit testing without permission, NSS Lab alleged.

“If it is good enough to sell, it is good enough to test,” Phatak argued.

This isn’t the first time NSS Labs and Crowdstrike have locked horns: last year CrowdStrike filed an injunction against NSS Labs to prevent the release of test results during the RSA Conference. The lawsuit failed.

In a statement, Crowdstrike dismissed NSS’s legal offensive as baseless:

NSS is a for-profit, pay-to-play testing organization that obtains products through fraudulent means and is desperate to defend its business model from open and transparent testing. We believe their lawsuit is baseless.

CrowdStrike supports independent and standards-based testing — including public testing — for our products and for the industry. We have undergone independent testing with AV-Comparatives, SE Labs, and MITRE and you can find information on that testing here. We applaud AMTSO’s efforts to promote clear, consistent, and transparent testing standards.

El Reg also asked the other named parties in the lawsuit to comment. We’ll update this story as more information comes to hand. ®

Bootnote

Other security testing labs are available with other examples including AV-Comparatives, AV-TEST, and SE Labs, among others. Fore what it’s worth: the anti-malware market is split between consumer and corporate sales with enterprise revenues forming the largest part of the market, even for the likes of Symantec.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/20/security_testing_contratemps/