3rd Party InfoSec Testing Center

scottalanmiller

@NerdyDad said in 3rd Party InfoSec Testing Center:

Question is...how do we fund it as a start-up? Is this where kickstarter comes in?

That's the toughest part. What is the profile of someone that is going to donate money to a non-profit lab of this nature? And can you qualify for non-profit status for a research lab?

RojoLoco

Call it the "First Unified Church of Software Testology" or something... pretty easy to form a church and not pay taxes, look how many there are already. And this one might actually be useful for something (besides not paying taxes).

MattSpeller

@RojoLoco said in 3rd Party InfoSec Testing Center:

Call it the "First Unified Church of Software Testology" or something... pretty easy to form a church and not pay taxes, look how many there are already. And this one might actually be useful for something (besides not paying taxes).

Hail root

dafyre

Before getting too far into it, the testing methods must be standardized and PUBLISHED and made available to third parties.

My question is why would a vendor like Cyclance or McAffee or MalwareBytes, et al not be willing to pay to have an outside entity actually test their products?

By accepting payments for actual work, does that risk it becoming more like the Magic Quadrant people?

Edit for clarity.

Deleted74295

More importantly, how do you show trust and accountability.

I don't care if you are a non profit or a commercial entity, neither proves that you are a trusted source. Either can be bought and paid for.

Also, what is the definition of a good test. I've seen tests where Symantec has won consistently and I know the product sucked at the time.

dafyre

@Breffni-Potter said in 3rd Party InfoSec Testing Center:

More importantly, how do you show trust and accountability.

I don't care if you are a non profit or a commercial entity, neither proves that you are a trusted source. Either can be bought and paid for.

That's why my comment about the testing methods being published and repeatable. If an outside entity can't duplicate our results, then it's not a good test.

NerdyDad

Best way I can say it is to have public policies about gifts/bribes towards the company and employees of the company. If that policy is violated, then the public would need to know somehow that the company has to follow its policy.

NerdyDad

@dafyre said in 3rd Party InfoSec Testing Center:

@Breffni-Potter said in 3rd Party InfoSec Testing Center:

More importantly, how do you show trust and accountability.

I don't care if you are a non profit or a commercial entity, neither proves that you are a trusted source. Either can be bought and paid for.

That's why my comment about the testing methods being published and repeatable. If an outside entity can't duplicate our results, then it's not a good test.

Probably a bad example, but the best one that we have is the scientific community. If somebody at a university says that they discovered x, y, and z and you can prove it with this test, can another university at another independent location reproduce the same discoveries with a test that was setup the same way?

Deleted74295

The tests need to be about real world usage. Screen recorded, with log dumps published.

I.e go to freemusic4u.com

NerdyDad

How about a consortium from universities? Universities fund the project, AVs gets tested, knowledge of the tests goes into updating curriculum of IT & cyber-security courses.

Deleted74295

Universities? Those incredibly slow to react to change organisations delivering up to date security data?

NerdyDad

Yeh, you may have a point there.

scottalanmiller

@NerdyDad said in 3rd Party InfoSec Testing Center:

How about a consortium from universities? Universities fund the project, AVs gets tested, knowledge of the tests goes into updating curriculum of IT & cyber-security courses.

LOL. If universities cared they would have already done this.

dafyre

@scottalanmiller said in 3rd Party InfoSec Testing Center:

@NerdyDad said in 3rd Party InfoSec Testing Center:

How about a consortium from universities? Universities fund the project, AVs gets tested, knowledge of the tests goes into updating curriculum of IT & cyber-security courses.

LOL. If universities cared they would have already done this.

Yeah. I think a Kickstarter or Non-Profit would be probably the best way to go about something like this.

scottalanmiller

I doubt that Kickstarter would work. A non-profit is needed, almost certainly, but is a big pain to run as Republic of IT found out and very hard to get people to commit to donations.

coliver

@scottalanmiller said in 3rd Party InfoSec Testing Center:

I doubt that Kickstarter would work. A non-profit is needed, almost certainly, but is a big pain to run as Republic of IT found out and very hard to get people to commit to donations.

Not to mention this is a fairly niche thing to be testing. Everyone needs it but fewer actually care about the results.

scottalanmiller

@coliver said in 3rd Party InfoSec Testing Center:

@scottalanmiller said in 3rd Party InfoSec Testing Center:

I doubt that Kickstarter would work. A non-profit is needed, almost certainly, but is a big pain to run as Republic of IT found out and very hard to get people to commit to donations.

Not to mention this is a fairly niche thing to be testing. Everyone needs it but fewer actually care about the results.

Or understand them, or trust them. And they change constantly.