Are security products really secure?
A recent report from ICSA Labs and Verizon Business found that a majority of security products failed to perform when first tested by independent labs. Most products "require two or more cycles of testing before achieving certification", showing that users should be skeptical of claims made by vendors unless they are backed up by independent testing.
Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability. Even though it can be a demanding process, certification with a trusted, established third party is critical to verifying product quality, states the report.
The industry standard for encryption products is the FIPS 140-2 certification given jointly by the US Government (NIST) and the Canadian Government (CSEC). This process requires vulnerability testing by a third-party lab followed by Government review. FIPS 140-2 ensures that encryption products do what they say they do, and is the recommended security level for HIPAA and other regulations. Click here for more info on the cryptographic module validation program (CMVP).