Thursday, December 09, 2010

A Good Security Testing Plan Will Save Time and Money

Few enterprises in today's environment of highly constrained IT and security resources can afford to waste time and budget on network security products that exceed — or do not match — their requirements. While it is tempting to forge ahead in evaluating the biggest and fastest, hardware-accelerated, nuclear-powered "Next Generation" security toys, a well-designed testing plan may demonstrate that a lower level of performance is acceptable at certain points on the network, and this can reduce purchase and deployment costs.

An effective testing plan will enable the enterprise to select cost-effective security solutions that align with internal requirements for performance and system integration. The availability of advanced test tools enables a complete test lab to be created in a single rack of equipment, making it possible for almost any organization to perform in-house testing.

When embarking on a testing project, it is also important to decide in advance the eventual use case for the products being tested — a device intended for a branch office environment is unlikely to perform well if tested as an enterprise core product, for example.

In consulting independent test reports, be wary of those test houses that do not recognize the value of use-case testing. Look for those that either seek to certify a product against a particular use case, or that recommend one or more use cases based on the results of the test. A simple "pass/fail" result with no indication of a suitable use case renders a test worse than useless — even misleading.

We have an ANalysis Brief in the pipeline that examines each of these issues in more depth and defines testing best practices that will save precious resources when evaluating complex security devices.

Follow me on Twitter (@bwalder) to be kept informed of new research.

No comments: