NSS Labs has thrown a hand grenade into the always fractious but slightly obscure world of security product testing by suing multiple vendors as well as an industry standards organisation.
A lawsuit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO) has alleged no less than a conspiracy to cover up deficiencies in security tools.
These vendors have known of bugs but have failed to act and worse were “actively conspiring to prevent independent testing that uncovers those product deficiencies”, NSS Labs claimed .
The lawsuit aims to illuminate bad practices that harm consumers, according to a statement by Vikram Phatak, chief exec of NSS Labs. The anti-malware market is split between consumer and corporate sales with enterprise revenues forming the largest part of the market, even for the likes of Symantec.
NSS labs accused the named security vendors of forging a pact to collectively boycott its independent test lab 1 . Why? Well if one of them avoided a test all others participated in then it looks bad but if there’s a collective “no thanks” than any opprobrium is avoided.
The charge is serious: vendors have come up with a scheme to avoid tests that may expose vulnerabilities they’d rather not have to invest in repairing, never mind the negative PR backlash from poor results.
AMTSO - which aims to establish standards for fair testing - is allegedly “actively preventing unbiased testing” and facilitating this bad practice.
In addition, Crowdstrike and other unnamed vendors have clauses in their user contracts that prohibit testing without permission, NSS Lab alleged.
"If it is good enough to sell, it is good enough to test,” Phatak argued.
This isn't the first time that NSS Labs and Crowdstrike have locked horns: last year CrowdStrike filed an injunction against NSS Labs to prevent release of test results during the RSA Conference. The lawsuitfailed.
In a statement, Crowdstrike dismissed NSS’s legal offensive as baseless.
NSS is a for-profit, pay-to-play testing organization that obtains products through fraudulent means and is desperate to defend its business model from open and transparent testing. We believe their lawsuit is baseless.CrowdStrike supports independent and standards-based testing ― including public testing ― for our products and for the industry. We have undergone independent testing with AV-Comparatives, SE Labs, and MITRE and you can find information on that testing here . We applaud AMTSO’s efforts to promote clear, consistent, and transparent testing standards.
El Reg also asked the other named parties in the lawsuit to comment. We’ll update this story as more information comes to hand.
BootnoteOther security testing labs are available with other examples including AV-Comparatives, AV-TEST, and SE Labs, among others.
Sponsored: Following Bottomline’s journey to the Hybrid Cloud