Most Security Products Fail To Perform

An anonymous reader writes "Nearly 80 percent of security products fail to perform as intended when first tested and generally require two or more cycles of testing before achieving certification, according to a new ICSA Labs report that details lessons gleaned from testing thousands of security products over 20 years. Across seven product categories core product functionality accounted for 78 percent of initial test failures. For example, an anti-virus product failing to prevent infection and for firewalls or an IPS product not filtering malicious traffic. Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability."

This just in!

[L4t3r4lu5]

New devices and software may have bugs which affect performance. Patches may be required for correct performance when exposed to unexpected conditions.

Is security software supposed to be automagically immune to human error? Or is this another "Coders aren't employing secure coding practices" piece I've been reading for well over 3 years. "Validate your inputs" "check loops exit under all circumstances" etc etc. Woo. Insightful this ain't.

Re:This just in!

[Herkum01]

New devices and software may have bugs which affect performance. Patches may be required for correct performance when exposed to unexpected conditions.

Companies (in general) would rather polish turds than expend the energy to make a good product.

Re:This just in!

[mcgrew]

Woo. Insightful this ain't.

Mods, please don't mod that uninsightful coment "insightful". Having a defect in a device I've bought has been extremely rare, buying anything from toasters to TV sets to video cards that just don't work is unheard of. Don't talk to me about the "complexity" of writing software, you think you car is simple?

If your software is buggy your company is incompetent. Period. We as customers shoud stop putting up with defective products and beta sofware that's been rolled out as a "finished product." If I find your software doesn't perform, I should get my money back.

People, can we please stop putting up with incompetents' excuses? After a quarter of a century of putting my up with your crap software I'm getting a little tired of it.

Re:This just in!

[Thanshin]

you think you car is simple?

Car analogy to the rescue!

Let's imagine you're a car builder capable of building cars with the current expected quality.

Let's now imagine your competition builds and sells defective cars for half your costs. For whatever reason, the buyer will buy the half cost faulty car and then repair it until it finally works, rather than buying your "perfect on release" car.

What do you do?

Re:This just in!

[RichardJenkins]

Your car may be complex, but it has relatively few ways for the user to interact with, and is likely always used in the same environment, and fundamentally the same to most every other car on the road. It's been done. Lots.

This goes doubly for your TV and even more for your toaster.

Are you saying software bugs needn't exist because mechanical and electrical engineering can be done so well? That's asinine.

And last I checked, most cars can still crash.

Re:This just in!

[PrescriptionWarning]

There's a big difference between software and hardware my friend. The first of which is safety: when a TV or Car blow up or otherwise severely malfunction it is not tolerated and therefore companies that make those products have much different cycles of testing and engineering (Waterfall development cycles). Software on the other hand has much more leniency for most fields since it has the capability of being continually improved and has a tendency to be rushed through development with that in mind (Spiral development cycles)... this is where the the comparison breaks down between the seeming reliability of hardware versus software.

Re:This just in!

Whenever I see that inane comment, it turns me into Jack's raging bile duct.

Fight Club has brainwashed an entire segment of the population into believing that recalls are that simple.
It ignores stuff like criminal charges for negligence, that the NHTSA has the ability to force recalls, or that
insurance companies might have a say in it as well.

Re:This just in!

[mcgrew]

If your starter goes out a week after buying a new car, there's no safety issue but you're not likely to buy that brand of car again. Any auto manufacturer with shoddy manufacturing and design won't be in business long, unlike software.

Re:This just in!

> Don't talk to me about the "complexity" of writing software, you think you car is simple?

Security hardware/software has to constantly deal with new attacks. Your car doesn't have to deal with anything that hasn't existed for ah hundred years already, and yet a street thug can still be walking away with your radio in under two minutes. (Or driving away the whole car, given slightly more time).

> If your software is buggy your company is incompetent. Period. We as customers shoud stop putting up with defective products and beta sofware that's been rolled out as a "finished product." If I find your software doesn't perform, I should get my money back.

We live in an era where the automobile, which has been under continuous development and refinement for a century, is still produced with major flaws, subject to recalls because tires may blow out when they aren't supposed to, and wires may fray and light the engine on fire. And that's counting the top end modern first-world cars. You can't even get the Chinese exports here, because they keep failing the crash tests, because the steel and welding quality is so bad that they fatally pancake in a 35mph crash.

And you don't get your money back if you get a bad car, outside of a certain short time period from purchase, just like software. You get free patches for both, and that's it.

Security is a process not a product

[Afforess]

There is no such thing as security. You can become more secure, but never absolutelysecure. Security is a process, not a product. The moment we realize this, most of these problems go away.

Instead of looking for the "silver bullet" in the form of a anti-virus software, you should be using anti-virus in conjunction with Firewalls, the latest patches for your OS, and safe browsing habits. After all, I would bet that 9/10 viruses come in the form of human error rather than the case of a malicious hacker trying to force entry to your system.

Re:Security is a process not a product

[TwistedGreen]

No, what he's saying is that a single security solution will never work 100%. You're right, the only magic bullet is to unplug your network cables, but that's not going to happen. That's why you need multiple lines of defense combined with informed usage policies.

Talk about devaluing security

This report is not good news. While ICSA is promoting the need for certified security products, it may do more to convince security managers that they've been getting ripped off. This is what Larry Walsh writes in his blog: http://blogs.channelinsider.com/secure_channel/content/analysis/80_of_security_fail_to_meet_performance_expectations.html

Confidentiality Integrity Availability.

[Dr.+Evil]

This all sounds like security certification speak.

Among the recommendations from the article: "Use certified products. While certification can never eliminate risk, it substantially reduces risk by ensuring that products meet objective, publicly vetted criteria."

This shouldn't be on Slashdot. We all know that the best software tools are FOSS, subject to the most rigourous testing and peer review. "Certified Products" are a black box with a "Trust us" next to a logo for a "Limited Liability Coproration."

The article should be lumped in with the Gartner reports and marketing materials.

Re:Confidentiality Integrity Availability.

Yes and NT4 got EAL rating with a bunch of qualifications.

A whole industry of 'certifiers' has sprung up to make money off clients who can then paint gold stars on their products - just like wine or cigars.

Everyone is missing the point: The vendor is proactive and up to it - or they drag the chain about timely patches. If they are 'one monthers' On this score, BSD beats MS.

We don't know how to do security

[jonaskoelker]

This highlights a point you may very well know already, but allow me to restate it:

People (at least people who program computers) haven't really figured out how to write secure code.

Well, what do I mean by secure code? Code that is 100% secure against a particular well-specified threat, or several of these. I.e. "only users logged in as root on the local console can [...]; users accessing the database through the web interface can't [...].", or "no TCP flow will cause the $OS network stack to crash", or [etc.].

This article is merely the observation that even when people write code that has a security function, they can't magically do better than everybody else.

Also, I'd like to advocate the viewpoint that security is a system property. You can't apt-get install security. Putting a firewall in front of a flaky app (especially a flaky proprietary app) is not going to work well: if you need code to detect whether a packet is evil or not, why don't you put that code in the application, so you don't have three competing vendors waste time trying to be the best flaky-packet-handler for $APP?

Oh well, I guess you can ship sooner. Also, if the original developers of $APP can't get the don't-be-flaky right, we might need something to stand in front.

(I hope this is more coherent than my feeling of well-being would suggest I'm able to make it)

Re:We don't know how to do security

[maxume]

It isn't just the knowing, there is also the bothering. For instance, buffer overflows and SQL injection are some of the most commonly exploited flaws in programs, and the prevention of both is well understood.

Most PRODUCTS fail to perform

Change "most security" to "most products" fail to perform.

Software is generally poorly written, is not held to any product standards, comes with "NO WARRANTY", "NO FITNESS FOR A PARTICULAR PURPOSE" and contains "KNOWN DEFECTS".

It's like a new car coming with two flat tires, and you happily paying for it.

It's time we hold software to some decent standards.

Re:well

[ozmanjusri]

Most security products are basically after the fact. Does this surprise anyone???

Billion dollar industries have sprung up to address flaws in Windows. Does that surprise anyone?

As the OP says, security products are after the fact solutions. They are intended to band-aid over holes in the product they are ostensibly protecting. They can never fix the actual flaws, nor identify all of the hidden weaknesses.

and that's WHY we test things

[petes_PoV]

The article paints a negative picture, when in fact the opposite is true: testing works! When we test stuff we find the bugs, fix them and re-test. After a few iterations the tests are passed. What's wrong with that? As someone who's done a *lot* of testing in the past it sounds to me like the process works.

If the testing process didn't find any problems and passed a product on the firsat attempt, I'd be more suspicious of the tests than of the product - not that I'd buy the product, either.

Re:Most security products fail to perform

Porn, Government, and Security Devices...They promise so much, and deliver so little.