LOCATION: Neohapsis / OSEC / About OSEC
About OSEC
Test Criteria
Test Results
Resources

Contents:
  What is OSEC?
  Why Osec?
  OSEC and vendors
  OSEC and end users
  How to get involved

Links:
  OSEC FAQ

 

What is OSEC?

OSEC, Open Security Evaluation Criteria, is a framework for the evaluation of security products. OSEC is founded on the notion that security product evaluation criteria should be openly examinable, subject to critique and amendment, vendor and end-user input, and ultimately, become the product of community peer review. Results should be displayed along with the gritty testing details, testing notes and observations, as with any good lab test. OSEC defines a core set of tests for any networked security product, and then adds tests for security and performance to each product space. While OSEC is a trademark of Neohapsis, its criteria are open to view and critique, and were formulated with input from vendors, end-users, and many from the security community actively working in the product spaces for which criteria have been developed.

 

Why OSEC?

Many in the security community were tired of seeing two trends dominate the security product evaluation discussion: First, an obsession with testing product performance solely in terms of speed, and doing so with flawed methodologies; Second, a disturbing number of products entering the marketplace "certified" and yet containing easily-discovered holes or flaws seen in past products in the space, and some containing already-known vulnerabilities. OSEC is founded on the use of multiple tiers of test-run verification, and the test tools used have themselves verified to generate the traffic specified by the test. While we do not expect OSEC to find all problems in a product during testing, we do expect that vendors pursuing OSEC product verification will start stamping out in advance the problems for which OSEC tests, improving the product space and meeting end-user expectations. As time goes on, the OSEC criteria will become tougher. Each OSEC section is intended to evolve, covering more and more common, testable factors, making verification of them part of the normal "spec" for the product space.

 

OSEC and vendors

Vendors will find in OSEC both a challenge to produce products that stand up to scrutiny, and a chance to put forth exactly what a product does and does not do. OSEC test granularity is high -- designed to break out (and verify) functionalities that the end-user should care about. The product Verification Certificate thus, like an automobile spec sheet or gemstone certificate, lets end-users evaluate the product based on their requirements. OSEC thus helps UN-flatten a product space, taking the attention away from one or two performance factors, and placing it squarely where it belongs: on the product's ability to satisfy the consumer's particular requirements. OSEC thus rewards vendors that diversify product lines to satisfy many niches by reflecting those capabilities, and ensuring the consumer that the base functionality has not suffered.

 

OSEC and end users

If product end-users cared about nothing but price and speed, they'd all buy layer-3 switches instead of firewalls and routers. Obviously, there's more to a good networking product than speed, and security products in particular require deeper scrutiny. OSEC benefits the knowledgeable consumer of IT products by breaking out product functionality into many fine-grained factors, testing them, and presenting the results in concise form. The test results, rather than a seal of approval, VALIDATE a vendor's claims about a product's capabilities. One EXPECTS a 100Mbit IDS product to take an "NA" in the 200+ Mbps tests and the price to reflect the capabilities. Yet, most product tests and even most reviews concentrate on simple packets-per-second performance metrics over depth of function. OSEC helps end-users validate that vendors haven't cut important corners in making their product lines satisfy various niches. As well, the core security tests, which will become tougher over time, encourage the steady improvement of product security.

 

How to Get Involved

Vendors:
Looking to contribute to current or possible OSEC product verification criteria sets?
Contact Neohapsis and ask for the OSEC project director.

Looking to have a product's capabilities verified against a current OSEC criteria set?
Contact Neohapsis Labs and ask for the Labs director.

Just want more information from a head to head?
Call or write Neohapsis Labs, and we'll be happy to answer your questions and discuss your concerns.

End-Users and the general security community:
Looking to contribute to current or possible OSEC product verification criteria sets or just have a lot of questions that aren't in the FAQ?
E-mail the OSEC project address. We'll be happy to reply.

A set of OSEC mailing lists in each general product category will be coming out soon for general debate and discussion of testing criteria and methods. Stay tuned!

	
Neohapsis Labs
Phone:  +1 (773) 394-8310                       Fax:  (773) 394-8314
Email:  OSEC project:  osec@neohapsis.com       Neo Labs: labs@neohapsis.com

 
Copyright 2002, Neohapsis, Inc.