New IT Security Product Assessment Tool Launched

Jericho Forum, the international IT security association, has today launched a Self-Assessment Scheme (SAS), which it claims will allow vendors and their customers to check the effectiveness of an IT security product.

The new free-of-charge tool has been based on the association’s own eleven principles of good security design, known as the Jericho Forum Commandments, which were first established in 2006.

The assessment is made up of a series of questions geared to exposing a product’s security flaws or loopholes. It is designed to be used by IT security vendors and end-user organisations to evaluate how well products will meet requirements and ensure secure implementation and deployment. It can also help IT systems architects and designers looking to validate the security of their architecture designs.

“The ultimate goal of the self-assessment scheme is to influence IT product innovation and market forces to be security driven instead of purely feature-driven,” stated the forum.

Paul Simmonds, Jericho Forum board member said: “The eleven Jericho Forum Commandments are adopted by many IT architects and designers throughout the industry as valuable benchmarks for measuring design concepts and solutions, while a number of end-user organisations are known to include them as part of their RFPs [requests for proposals].”

He added that the scheme was intended to extend the benefits of clear measurement criteria to all security vendors and customer organisations with the goal of establishing a more secure marketplace, where products are inherently secure ‘out of the box’.  “This is an open invitation to the IT industry to improve security design standards,” he said.

Dan Blum, senior vice president and principal analyst at Burton Group endorsed the scheme’s standard criteria and said it would be particularly useful in the move towards more cloud deployments. “I’ve previously referenced the Jericho Commandments as a framework for envisioning how information security defences must shift in the modern era,” he said.

“Cloud computing is the latest manifestation of IT externalisation and de-perimeterisation trends that motivate the Jericho Commandments. The Jericho Self-Assessment Scheme will help vendors and customers give themselves an architecture check up, and it is therefore a useful way to measure cloud-readiness.”

Philippe Courtot, Qualys chief executive and Jericho Forum board member, agreed with Blum: “As more and more applications move into the cloud, assessing the level of security computing vendors really provide is a major effort. The self-assessment questionnaire devised by the Jericho Forum provides a comprehensive and straightforward mechanism to start such a process, as it could for example be easily made part of the RFP process,” he said.  “Such an initiative will definitively help improve the necessary transparency cloud computing vendors must deliver.”

The Forum said SAS results will not be shared. But vendors may choose to promote that they have “self-assessed” their products by displaying the Jericho Forum’s “Self-Assessed” logo on their website and marketing materials.