How Open Testing Standards Can Improve Security

When creating security metrics, it's critical that test methodologies cover multiple scenarios to ensure that devices perform as expected in all environments.

Networks are a complex collection of components defined by many different standards. These standards help solve network problems ranging from security to performance and usability.


An open standard is a publicly available standard that can be consumed in a variety of ways for deploying a secure solution for a network. Readers of open security standards use them to understand how a technology might be useful to solve security on the network. Implementers of open standards can create solutions to address documented security issues. Network operators read standards to understand how the different implementations work together to make a complete security solution.


These network solutions often come from different sources, which leads to the creation of a variety of testing procedures and methodologies to ensure that network components support all the security and performance requirements of the network users. Since the majority of standards are also open, it would make sense that the methods for testing are also open. But often this isn't the case, and I think it should be.


The Case for Open Security Testing StandardsThe argument I often hear against open testing standards is because network component engineers can see the test and create a solution based on the known criteria. This, to use a grade school analogy, seems like cheating since the test questions are known in advance, making it possible for a network operator to engineer their products to pass the test. If the tests have full coverage for the security features that a network operator wants, then it doesn't matter if they know what is being tested. The outcome of the testing will be a ..