Slashdot Mirror
Most Security Products Fail To Perform
An anonymous reader writes "Nearly 80 percent of security products fail to perform as intended when first tested and generally require two or more cycles of testing before achieving certification, according to a new ICSA Labs report that details lessons gleaned from testing thousands of security products over 20 years. Across seven product categories core product functionality accounted for 78 percent of initial test failures. For example, an anti-virus product failing to prevent infection and for firewalls or an IPS product not filtering malicious traffic. Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability."
Maybe they're nervous?
I mean you put them under a lot of pressure to perform and chastise them harshly when they fail to meet your expectations.
Perhaps you should mix them a nice drink, use some mood lighting and tell them you love them once in a while. It's not just about you after all.
Calling someone a "hater" only means you can not rationally rebut their argument.
New devices and software may have bugs which affect performance. Patches may be required for correct performance when exposed to unexpected conditions.
Is security software supposed to be automagically immune to human error? Or is this another "Coders aren't employing secure coding practices" piece I've been reading for well over 3 years. "Validate your inputs" "check loops exit under all circumstances" etc etc. Woo. Insightful this ain't.
Finally had enough. Come see us over at https://soylentnews.org/
Verizon is just trying to proof the relevancy of their so-called 'security' tests. They do not really perform any security test at all. Please, stop posting these marketing messages. And puleaszze, stop this semi-bullshit measures such as 44%, 78% ...
There is no such thing as security. You can become more secure, but never absolutelysecure. Security is a process, not a product. The moment we realize this, most of these problems go away.
Instead of looking for the "silver bullet" in the form of a anti-virus software, you should be using anti-virus in conjunction with Firewalls, the latest patches for your OS, and safe browsing habits. After all, I would bet that 9/10 viruses come in the form of human error rather than the case of a malicious hacker trying to force entry to your system.
If our elected representatives no longer represent us, do we still live in a Democracy?
The TSA has issued a press release calling their performance "In line with industry standard private sector security solutions"...
This report is not good news. While ICSA is promoting the need for certified security products, it may do more to convince security managers that they've been getting ripped off. This is what Larry Walsh writes in his blog: http://blogs.channelinsider.com/secure_channel/content/analysis/80_of_security_fail_to_meet_performance_expectations.html
This all sounds like security certification speak.
Among the recommendations from the article: "Use certified products. While certification can never eliminate risk, it substantially reduces risk by ensuring that products meet objective, publicly vetted criteria."
This shouldn't be on Slashdot. We all know that the best software tools are FOSS, subject to the most rigourous testing and peer review. "Certified Products" are a black box with a "Trust us" next to a logo for a "Limited Liability Coproration."
The article should be lumped in with the Gartner reports and marketing materials.
This highlights a point you may very well know already, but allow me to restate it:
People (at least people who program computers) haven't really figured out how to write secure code.
Well, what do I mean by secure code? Code that is 100% secure against a particular well-specified threat, or several of these. I.e. "only users logged in as root on the local console can [...]; users accessing the database through the web interface can't [...].", or "no TCP flow will cause the $OS network stack to crash", or [etc.].
This article is merely the observation that even when people write code that has a security function, they can't magically do better than everybody else.
Also, I'd like to advocate the viewpoint that security is a system property. You can't apt-get install security. Putting a firewall in front of a flaky app (especially a flaky proprietary app) is not going to work well: if you need code to detect whether a packet is evil or not, why don't you put that code in the application, so you don't have three competing vendors waste time trying to be the best flaky-packet-handler for $APP?
Oh well, I guess you can ship sooner. Also, if the original developers of $APP can't get the don't-be-flaky right, we might need something to stand in front.
(I hope this is more coherent than my feeling of well-being would suggest I'm able to make it)
Is anyone here suprised by the fact that security isn't something anyone can buy?
I'm using all of my mod points to mod ancient memes down. Please join me.
The most common source of security problems is poor user interfaces. These can't easily be fixed by third-party products. A ludicrous password policy, for example, which makes people write their passwords on post-it notes because they can't remember them, is a good example. ActiveX allowing untrusted code to run with full privileges with a single button press was another example. UAC and SELinux also suffer from this; the UI is so bad that people often just disable them.
The other cause of security problems is bugs. The OpenBSD developers like to say that the only difference between a bug and a security hole is the intelligence of the attacker, and they're not far wrong. The number of bugs in a piece of code is roughly proportional to the complexity of the code. There are some scale factors, such as the amount of testing, the experience of the developers, and a few other factors, but all other things being equal complex code will contain more bugs than simple code. When you add something like an antivirus program on top of an existing complex system, you are adding a huge extra layer of complexity and hoping that this will fix things. This is why I have no faith in things like MS Singularity. They are replacing a very simple mechanism (hardware-enforced page protection on memory) with a complex mechanism based on type theory and implemented by a huge virtual machine and expecting it to be more secure. If you want a secure system, you should build the complexity from simple layers. Adding Mondrian memory protection to CPUs would be a good start.
I am TheRaven on Soylent News
Change "most security" to "most products" fail to perform.
Software is generally poorly written, is not held to any product standards, comes with "NO WARRANTY", "NO FITNESS FOR A PARTICULAR PURPOSE" and contains "KNOWN DEFECTS".
It's like a new car coming with two flat tires, and you happily paying for it.
It's time we hold software to some decent standards.
You cannot buy security and you cannot buy love.
-- $G
Yeah, I am a bitter vet, and I am so damn happy I got out of that shit world called 'security'.
People were just too dumb, they always wanted to buy products to "make them safe", while they almost never wanted to invest into training, procedures, policies, etc.
Guess they're happy now.
Billion dollar industries have sprung up to address flaws in Windows. Does that surprise anyone?
As the OP says, security products are after the fact solutions. They are intended to band-aid over holes in the product they are ostensibly protecting. They can never fix the actual flaws, nor identify all of the hidden weaknesses.
"I've got more toys than Teruhisa Kitahara."
So, a certification vendor says certification is necessary, based on statistics produced in-house. Subtext: security product vendors need to buy the services of the certification vendor. It might be true, or it might be bias. Hardly news.
The customer for 'Security Products' is some buyer typically disconnected from the nuts-and-bolts of security!
A bunch of mid-to-upper level people sit in a room and talk about 'security.' They don't understand it, but the like/need the idea of it so they can come off as believable to their customer. Better still the clicky-pointy-GUI and report generation features *really* feed the TPS beast. They talk past each other and pass reports around. Perception! Perception! Perception!
The finance industry is the perfect example. It is possible to build a system that meets various compliance standards without COTS products. In fact, you can build it for 1/100th the price and feature-perfect. But when the audit happens and the auditor *doesn't* get the report immediately recognizable as that TPS report generator from software house XYZ, your audit is now in jeopardy.
Either the audit costs skyrocket and probably fail simply because the audit didn't include a TPS report familiar to the industry or you buy the software from XYZ and the auditor gets his TPS report. What do you think is going to happen? Hint, you've probably never seen six-figure checks written to a COTS vendor so quickly.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
If the testing process didn't find any problems and passed a product on the firsat attempt, I'd be more suspicious of the tests than of the product - not that I'd buy the product, either.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Every security product "fails." It is impossible to prevent all threats. The point of security is to reduce the risk of compromise. There will always be some risk.
If an antivirus product stops now viruses at all, then it's a failure. If it lets some through but stops others, then it is actually a success because it reduces risk.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Security isn't a 'product' that you can bolt on. Security is something that has to be built in from the ground up. A primary function being irrevociable auditing of all activity on the system. How you can design a 'security product' that doesn't accuratly log activity beggers belief. These 'products' sound like the typical management process of covering their arses with certificates.
'Incomplete or inaccurate logging of who did what and when accounted for 58 percent of initial failures'
davecb5620@gmail.com
... we should point the finger at the criminals that write viruses and otherwise break computers.
They write viruses to "get around" current virus protection. Now if you have a tool that works, and a criminal circumvents it, how does that make the tool faulty? It wasn't faulty when it was written, what makes it faulty now?
Are the software engineers supposed to be able to predict the future? What constitutes a tool that works?
Why don't we hold police responsible for not predicting murders and fireman fires?
The notion that anyone could could write a perfect tool is a joke.
20 years in jail for writing a virus would be much better virus protection than McAfee.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
Oh, really ? If it's secure enough for these guys, it's secure enough for you and me.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Well - if you changed your "OpenBSD" to "OpenSource", I could agree with you wholeheartedly. Seriously - BSD looks as good as anything on the market, but I've not found a compelling reason to use BSD instead of the more mainstream Linuxes.
Because you limit your comment to one specific Unix-like, you just come across as a fanboi. Next time, try highlighting the merits of unix-like OS's, then compare how one or another stacks up to each other. You might find a convert - or not. But, at least you won't be an obvious fanboi!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
As some folks know, a lot of physical security products don't really work, either; they give us a false feeling of safety when in fact there is little or no actual benefit. We've got half of America's cities lit up like Christmas trees at night now, burning who knows how many tons of coal every year to do it, but have all those street lights and backyard security lights really made us safer? Some people got a whole lot richer in that process, though.
Another even more striking example close to home: my city took over a formerly "bad" neighborhood and redeveloped it, and part of that "redevelopment" was the installation of wrought-iron fencing around the entire perimeter of the development. It's only about 7 feet tall, mind you, and the bars can be bent and broken by mere mortals (and routinely are). How effective do you suppose that's been at the claimed purpose? Arguably the gates blocking the streets have served the purpose, but the rest of that fencing is an expensive eyesore that did little but make a few politicians look productive and interdict the movement of children with friends on the other side of it. My city, a state capitol no less, has artificially segregated an entire neighborhood in the name of "security", and it failed completely.
So yeah, security products often aren't what they're cracked up to be. Is this really a shock to anyone? Security devices and methods often just pander to humans' natural tendencies toward self-delusion, and make their providers richer at the expense of those who now think they're safer. "False sense of security" isn't clicheed enough, apparently, because people are still being suckered.
Bruce Schneier mostly runs Windows. The NSA uses several different versions of Windows and many different flavors of Unix and Linux. I'm sure they have BSD boxes somewhere in their massive inventory, but it is by no means their primary or secondary computing platform. Why do you suppose that is?
It's because computer security is only a small piece of the security big picture. It doesn't matter how technically secure your systems are if you have a malicious trusted insider carrying sensitive data out, or performing sabotage. How resistant is your entire system to rubber hose cryptanalysis? If a bunch of guys tried to forcibly take control of your data center with machine guns, how secure would your system be? The NSA has offices out there with a bunch of Windows XP boxes - but where they have customized hardware based encryption with at the data entry/exit points, incredibly strict key management policies, TEMPEST shielding, armed users, detailed destruction procedures, and incendiary grenades sitting in the corner.
Mod me down, but seriously, SSL, DNSSEC, and so many things for "security" are just junkware, introducing their own bugs and problems while making things excessively bloaty. Noticed how many vulnerabilities there have been in SSL alone lately? It's scary and this really needs to be rethought.
So does ur mom!!!
So does your comment.
Security is a practice, not a product.