Do you have a secure browser in your test security toolbox? Are you wondering if you should use one? If so, this is the episode for you!

Welcome to episode one of Tails of Testing, our new video series. Our team members Brodie Wise, EVP of Business Development and Marketing, and Chris Glacken, Director of Innovative Technologies, chat about the power of secure browsers and when they may be most useful.

Video Transcript

[Onscreen: A split-screen of Brodie and Chris chatting virtually.]

Brodie Wise
Hi, everyone. It’s Brodie Wise here, Executive Vice President, Business Development and Marketing at ITS. I am here with the one, the only, Chris Glacken. But a lot of people don’t know about Chris. So, Chris, do you mind introducing yourself?

Chris Glacken
Sure. Thanks for having me, Brodie. My name is Chris Glacken. I’m Director of Innovative Technologies here at ITS. I oversee our secure browsers and our remote proctoring solutions.

Brodie
Perfect. Well, I love the innovation. I’m hung up on it all the time. So, one of the things that I was hoping to talk to you about today, Chris, is secure browsers and how they are going to save testing and how you have the answers for all of that. So, can you tell us a little bit about secure browsers?

Chris
Sure. So, a secure browser is essentially an application that’s going to lock down the testing device to make sure that anything that’s not necessary to take the test is not used. An example of that is when a candidate is taking a test, you don’t want them using a web browser and going around and searching for the answers during the test. So, a secure browser is going to lock access to those things, so that way the only thing the candidate is doing is taking the test and possibly using any resources that are required for the test.

Brodie
Great. So, it’s interesting you bring that up because there are lots of secure browsers in market. There’s a lot of things that you can do just in a browser level, and some of the secure testing companies or remote proctoring companies are using these little plug-ins for it. Isn’t that the same thing?

Chris
It is not the same thing. It is certainly an approach that can be taken. Everything needs to be considered with, “what are the stakes of the test that’s being delivered?” For a really high-stakes [test], a browser plug-in is probably not going to be able to provide that type of security because it’s not going be able to do things like block screen capturing or do VM detection. It can do some lightweight process checking, but outside of that, you need to really have an application-based secure browser that’s going to allow you to get to those lower-level type of security features.

Brodie
Thanks, Chris. That’s interesting. But is it good enough just to use the plug-ins compared to what we’re doing?

Chris
So, the secure browser, while it is an application that has to be downloaded, our secure browser at least uses the rendering engines that are native on the operating system. So, what that really means is it keeps us lightweight. So, instead of having like 100-megabyte download, our secure browsers are three megabytes. And so, getting past that, that’s going to provide you the features such as blocking screen captures or being able to do some more advanced VM checking and process detection and anything else along those lines that you just can’t get through just a regular web browser.

Brodie
Yeah, that’s a good point. I laugh when I know that we use our secure browsers and so many different settings that help protect. But the security constantly changes, Chris, and maybe there’s a new VM that’s coming out or something that we do. Are we having to do releases all the time? I mean, I know you like all the extra work.

Chris
Security is a never-ending thing. And so, what we’ve done to kind of mitigate that is we use a cloud-based configuration that allows us to dynamically push down configurations at an entire program level or even to specific sites, and that also includes versioning. And so, while we may need to require new application updates to block new security threats, it’s all driven by a cloud configuration that allows our individual partners to be able to control their own release schedule based on what they feel they need to implement and what they feel they would probably wait on if they need to.

Brodie
So, I don’t know, Chris. I guess, when it comes to this, what are people missing? And these open questions about secure browsers. I admit I’m so tired of people thinking that the security is the same on everything. How can I educate them, or how do I, you know, help them understand this a little bit more?

Chris
So security is definitely not the same, and it’s also really dependent on what your needs are. If you’re a really low-stakes program, it might not make sense to implement a lot of measures that might impact more users than normal. It’s also important to consider that the secure browser is not 100% foolproof. There are some things that just can’t be blocked. For example, if I had a hidden camera behind me right now, a secure browser is not going to be able to block that from being able to take over the screen. There’s things such as cable splitters on the back end that, again, any piece of software is not going to be able to detect. Virtual machines are a constant battle. There’s a whole plethora of reasons we can get into about how difficult they are to detect. Our secure browser does a fairly good job at detecting, and we’re constantly looking to improve that. But that’s an important thing to keep in mind. So, the secure browser, it’s a great tool, but it should be just one of the tools in the toolbox. Other things such as test design and things of that nature should be considered when you’re looking at a complete security approach to your test.

Brodie
Yeah. That’s probably the best point you just made is the technology is there. It can solve certain problems, but you need to take a holistic approach when you’re trying to solve, you know, locking down the workstation and so on. One of the other things that it’s worth just asking you about is, with the secure browser, I mean, the remote proctoring companies, there’s a lot of them out there and there’s a lot of good security. Is remote proctoring good for all tests?

Chris
Again, that’s really going to be specific to your needs. In remote proctoring, if the candidate controls the test environment, they’re going to have the advantage. So, when you do remote proctoring, that just needs to be kept in mind. It cannot be as locked-down as a test center is going to be, just by nature of that. Secure browser can help with that, test design can help with that, but, at the end of the day, that really needs to be considered, and that might just be completely fine. I am not knocking on remote proctoring. We have our own remote proctoring product, but those are things that just need to be considered when you look at that method of test delivery.

Brodie
No, I appreciate it. And, as you know, I’m a proponent of remote proctoring, but I just want us to be realistic about what we can and can’t do and not set false expectations when they’re in there. So, thank you so much for the discussion. Is there any lasting thoughts you want to leave with this group?

Chris
No, a secure browser is just a great tool to have in the toolbox. Our ITS Secure Browser, I really love it, it’s lightweight, and it really provides a lot of security benefits that, if they’re important to you, you have at your disposal and it’s all configurable. So, thanks for having me today, Brodie.

Brodie
This is great, Chris, thanks, and thanks for letting us keep you a little bit busier, slip in a little bit more development activities for the secure browser. Have a great day.

Chris
All right, you too.

About Our Guest

Chris Glacken is the Director of Innovative Technologies here at ITS. He’s responsible for the ITS Secure Browsers for Mac and Windows, and he’s also the mastermind behind our ITS Bring Your Own Proctor remote proctoring solution. When he’s not pioneering innovative ideas for testing software, you might find him playing Hot Wheels with his two sons or strumming the mandolin.

If you have questions about secure browsers, send us a note at info@testsys.com, and we’ll get you in touch with Chris!