The notion of testing means many different things to many different people; today, Core Security introduces INSIGHT Enterprise, an entirely new method for performaing testing of IT security across the enterprise.
An interesting event occurred on June 17th, 2010 – Boeing completed 1000 hours of testing on its new Dreamliner as the airplane heads towards initial production.
This brought back a fond memory – you see, my first job at a real company was as an intern at Rockwell Collins, which was developing all-electronic control systems for Boeing at the time; and my first job, as an engineering sophomore, was to help to test these control systems.
If you’ve ever walked by an open airplane cockpit and seen the electronic displays with all those complex instruments, you know exactly what systems I’m talking about. Yours truly tested a small piece of them. It was very glamorous and exciting at the time as electronic instrumentation was just being invented.
What I don’t talk about too much is the specific job that I had during this work as an intern. My assignment was to test the software code that computed the basic trigonometric functions on these displays – sine, cosine, tangent, and their inverses. Boeing and the FAA required that you had to test every input value that was capable of generating a unique result – down to 32 bits of floating point precision.
It was not sufficient to test the boundary conditions, and a well chosen set of random values; it was not possible to put a flight at risk because a software glitch caused the software to go into an infinite loop for some particular input value.
Much as it was mind numbing work, it taught me that good engineering wasn’t all about inspiration and ravishing design – it was also about a rigorous discipline of testing and measurement. Indeed, as I learned, testing and measurement was a significant element of good design. Working with Boeing personnel at the time, I came to truly admire the way that they practiced engineering.
So, it was great to read about the Dreamliner and that Boeing is continuing its tradition and core competency of testing.
While the testing is obviously very sophisticated and thorough, it occurred to me that as a business traveler, the tests and their results are not consumable by me. As a traveler, I want to know how the deep technical data in the testing correlates to, say, the historical causes of accidents, as documented here – http://www.boeing.com/news/techissues/pdf/statsum.pdf (see slide 23, for example).
In other words, how do I map technical data to various different business impact assessments, so different stakeholders have what they need to make their own decisions
There are some interesting parallels to consider in the world of IT security.
Real Testing for IT Security
The testing we’ve been doing within the realm of IT security up to this point has also produced limited returns. If you consider Core’s historic lifeblood of penetration testing, for instance, it has had, unfortunately, a limited affect on driving high-level decision making, as results rarely leave the domain of security experts and auditors.
The same can be said of other types of common analysis in our world, from source code analysis (developers) to vulnerability scanning (network management). The parameters and results involved have always been highly specialized. Therefore their results don’t emanate upward, at least not as much as you might think or hope.
This is a recurring theme that I’ve been hearing when speaking to IT security professionals everywhere.
Meanwhile, the technology stack that they’re supposed to secure is getting more complex, more interconnected, and, with cloud computing, more abstract and outside of their administrative control, than ever.
Correspondingly, the sets of technologies and best practices that are being used to secure the IT networks are also getting more complex and interconnected. Today’s testers of IT security also run into internal and external administrative boundaries that constrain them; yet, those same parameters obviously do not constrain the attackers against whom they are trying to provide security in the first place, and this is clearly a serious disadvantage.
And, when they actually attempt to raise the red flag about all the things that they’re finding during testing that they are worried about, it often falls on deaf ears – for the simple reason that no one other than other security professionals, or whoever the experts doing the testing may be, can typically comprehend what they are saying, or understand what the results really mean.
That’s about to change.
Today, we at Core Security launched an innovative new product – CORE INSIGHT Enterprise – that brings the discipline of testing and measurement to the art and science of securing IT systems, and a far broader audience in terms of sharing results.
Based on a combination of fundamental research and our field-proven commercial grade penetration testing engine, this entirely new product allows today’s security officers to test their IT security defenses across the enterprise in a real-world, holistic, manner. A unique, innovative system maps the technical information about IT risk directly to meaningful business data in a manner that the average business unit head can actually understand.
In this way, INSIGHT Enterprise gives you a sophisticated, timely and extremely relevant point of view into the security posture of your IT assets in a way that’s never before been possible.
As we’re still in Beta, it’s obviously fair to say that we’re still in a test phase of our own, but I still think you’ll be impressed with the results.