How NSS Labs Tests and Evaluates Security Products | eWeek

NSS Labs Releases Next-Generation Firewall Test Results

NSS Labs CTO
Jul 20, 2018
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Jason Brvenik, chief technology officer at NSS Labs, spends his time testing a lot of different security technologies in an effort to evaluate vendor claims and product efficacy. The most recent set of technologies tested by NSS Labs are next-generation firewalls (NGFWs), with test results published on July 17.

Among the products tested by NSS Labs were NGFWs from Barracuda, Check Point, Cisco, Forcepoint, Fortinet, Palo Alto Networks, SonicWall, Sophos, Versa Networks and WatchGuard.

The NSS Labs’ 2018 NGFW Group Test report reveals that 60 percent of the assessed NGFWs were able to demonstrate a resistance to common evasion techniques. Attackers increasingly use different evasion techniques to try to bypass the protection provided by cyber-security products. Of note, NSS Labs reported that one evasion technique that all NGFWs struggle against is obfuscated JavaScript. According to the test results, none of the tested products was able to properly decode the JavaScript.


In a video interview with eWEEK, Brvenik explains how NSS Labs tests security technologies and why his firm is moving to a continuous evaluation model to help provide the most accurate results.

There are multiple techniques and tools for testing cyber-security technologies, including the popular open-source Metasploit penetration testing framework. Brvenik said NSS Labs goes above and beyond what Metasploit does, analyzing protocols and looking for ambiguities in specifications. 

Brvenik added that NSS Labs has its own Baitnet test harness that is a core element of the evaluation process. Baitnet is an automation framework for replaying attacks in parallel. Compliance conformance is not, however, something that Brvenik is overly concerned about.

“It’s about effectiveness at the end of the day. We look to assess how well a technology meets an enterprise’s needs and compliance is irrelevant, especially in our space. Our entire industry exists because compliance fails,” he said. “Whether or not you comply with any given standard really comes down to how well the technology identifies an attack, identifies evasive behavior, identities the presence of an adversary or prevents that action from occurring.”

Watch the full video interview with Jason Brvenik above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.