Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Security Products Fail To Perform

Posted by CmdrTaco on from the ninety-percent-of-everything-is-crap dept.

An anonymous reader writes "Nearly 80 percent of security products fail to perform as intended when first tested and generally require two or more cycles of testing before achieving certification, according to a new ICSA Labs report that details lessons gleaned from testing thousands of security products over 20 years. Across seven product categories core product functionality accounted for 78 percent of initial test failures. For example, an anti-virus product failing to prevent infection and for firewalls or an IPS product not filtering malicious traffic. Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability."

23 of 99 comments (clear)

  1. Most security products fail to perform by mjwx · · Score: 4, Funny

    Maybe they're nervous?

    I mean you put them under a lot of pressure to perform and chastise them harshly when they fail to meet your expectations.

    Perhaps you should mix them a nice drink, use some mood lighting and tell them you love them once in a while. It's not just about you after all.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
    1. Re:Most security products fail to perform by slimjim8094 · · Score: 2, Funny

      Security devices can't get it up?

      Of course not - many security devices require you to get it up before you can even install them.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    2. Re:Most security products fail to perform by ObsessiveMathsFreak · · Score: 2, Interesting

      You mean after the all the claims they made? After all they said they'd keep us safe from? After how sure they made us feel in their ability? After all the charm, and the cajoling, and the expenses, and the hassle? After all they promised, now that they can't live up to even our most basic expectations, you're telling me that we're the ones at fault?

      They can't perform, but now we're the ones who have to change? We're the ones who have to clean all the laundry, and be careful around strangers, and lock up for the night? We need protecting, but they have to be looked after first? We're the ones who have to change our ways, just to make them feel they're doing a good job!?

      My mother was right!! I should never have subscribed to a service that came with a free trial!!

      --
      May the Maths Be with you!
  2. This just in! by L4t3r4lu5 · · Score: 3, Insightful

    New devices and software may have bugs which affect performance. Patches may be required for correct performance when exposed to unexpected conditions.

    Is security software supposed to be automagically immune to human error? Or is this another "Coders aren't employing secure coding practices" piece I've been reading for well over 3 years. "Validate your inputs" "check loops exit under all circumstances" etc etc. Woo. Insightful this ain't.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
    1. Re:This just in! by mcgrew · · Score: 5, Insightful

      Woo. Insightful this ain't.

      Mods, please don't mod that uninsightful coment "insightful". Having a defect in a device I've bought has been extremely rare, buying anything from toasters to TV sets to video cards that just don't work is unheard of. Don't talk to me about the "complexity" of writing software, you think you car is simple?

      If your software is buggy your company is incompetent. Period. We as customers shoud stop putting up with defective products and beta sofware that's been rolled out as a "finished product." If I find your software doesn't perform, I should get my money back.

      People, can we please stop putting up with incompetents' excuses? After a quarter of a century of putting my up with your crap software I'm getting a little tired of it.

      --
      Free Martian Whores!
    2. Re:This just in! by Thanshin · · Score: 3, Insightful

      you think you car is simple?

      Car analogy to the rescue!

      Let's imagine you're a car builder capable of building cars with the current expected quality.

      Let's now imagine your competition builds and sells defective cars for half your costs. For whatever reason, the buyer will buy the half cost faulty car and then repair it until it finally works, rather than buying your "perfect on release" car.

      What do you do?

    3. Re:This just in! by L4t3r4lu5 · · Score: 2, Funny

      Here's a quote you might like: I reject your reality, and substitute my own! - Mythbusters

      Half of me thinks you're being sarcastic, but the other half is concerned that you think companies actually want to pay for something good, and that PHBs don't impose stupid deadlines to rush projects out of the door because competitors are building the same product.

      You want to know which projects are going to be bug-free at realease? Hurd, Duke Nukem: Forever, and the Phantom console.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    4. Re:This just in! by RichardJenkins · · Score: 4, Insightful

      Your car may be complex, but it has relatively few ways for the user to interact with, and is likely always used in the same environment, and fundamentally the same to most every other car on the road. It's been done. Lots.

      This goes doubly for your TV and even more for your toaster.

      Are you saying software bugs needn't exist because mechanical and electrical engineering can be done so well? That's asinine.

      And last I checked, most cars can still crash.

    5. Re:This just in! by PrescriptionWarning · · Score: 2, Insightful

      There's a big difference between software and hardware my friend. The first of which is safety: when a TV or Car blow up or otherwise severely malfunction it is not tolerated and therefore companies that make those products have much different cycles of testing and engineering (Waterfall development cycles). Software on the other hand has much more leniency for most fields since it has the capability of being continually improved and has a tendency to be rushed through development with that in mind (Spiral development cycles)... this is where the the comparison breaks down between the seeming reliability of hardware versus software.

    6. Re:This just in! by mcgrew · · Score: 2, Informative

      Let's now imagine your competition builds and sells defective cars for half your costs

      So if that would work, why hasn't anyone done it? The answer is simple -- car buyers are smarter than people who buy software. Also, it's a lot easier to patch a program than to recall a defective car.

      And cars have warrantees. I'd like to see warrantees on software.

      Also, see the AC who responded to your comment, he said a few things I was going to.

      --
      Free Martian Whores!
    7. Re:This just in! by mcgrew · · Score: 2, Insightful

      If your starter goes out a week after buying a new car, there's no safety issue but you're not likely to buy that brand of car again. Any auto manufacturer with shoddy manufacturing and design won't be in business long, unlike software.

      --
      Free Martian Whores!
    8. Re:This just in! by Nadaka · · Score: 2, Funny

      We _cam_ make it bulletproof...
      yes we cam?

  3. Security is a process not a product by Afforess · · Score: 4, Insightful

    There is no such thing as security. You can become more secure, but never absolutelysecure. Security is a process, not a product. The moment we realize this, most of these problems go away.

    Instead of looking for the "silver bullet" in the form of a anti-virus software, you should be using anti-virus in conjunction with Firewalls, the latest patches for your OS, and safe browsing habits. After all, I would bet that 9/10 viruses come in the form of human error rather than the case of a malicious hacker trying to force entry to your system.

    --
    If our elected representatives no longer represent us, do we still live in a Democracy?
    1. Re:Security is a process not a product by TwistedGreen · · Score: 2, Insightful

      No, what he's saying is that a single security solution will never work 100%. You're right, the only magic bullet is to unplug your network cables, but that's not going to happen. That's why you need multiple lines of defense combined with informed usage policies.

  4. And in related news... by fuzzyfuzzyfungus · · Score: 3, Funny

    The TSA has issued a press release calling their performance "In line with industry standard private sector security solutions"...

  5. Talk about devaluing security by Anonymous Coward · · Score: 3, Insightful

    This report is not good news. While ICSA is promoting the need for certified security products, it may do more to convince security managers that they've been getting ripped off. This is what Larry Walsh writes in his blog: http://blogs.channelinsider.com/secure_channel/content/analysis/80_of_security_fail_to_meet_performance_expectations.html

  6. Confidentiality Integrity Availability. by Dr.+Evil · · Score: 4, Insightful

    This all sounds like security certification speak.

    Among the recommendations from the article: "Use certified products. While certification can never eliminate risk, it substantially reduces risk by ensuring that products meet objective, publicly vetted criteria."

    This shouldn't be on Slashdot. We all know that the best software tools are FOSS, subject to the most rigourous testing and peer review. "Certified Products" are a black box with a "Trust us" next to a logo for a "Limited Liability Coproration."

    The article should be lumped in with the Gartner reports and marketing materials.

  7. We don't know how to do security by jonaskoelker · · Score: 2, Insightful

    This highlights a point you may very well know already, but allow me to restate it:

    People (at least people who program computers) haven't really figured out how to write secure code.

    Well, what do I mean by secure code? Code that is 100% secure against a particular well-specified threat, or several of these. I.e. "only users logged in as root on the local console can [...]; users accessing the database through the web interface can't [...].", or "no TCP flow will cause the $OS network stack to crash", or [etc.].

    This article is merely the observation that even when people write code that has a security function, they can't magically do better than everybody else.

    Also, I'd like to advocate the viewpoint that security is a system property. You can't apt-get install security. Putting a firewall in front of a flaky app (especially a flaky proprietary app) is not going to work well: if you need code to detect whether a packet is evil or not, why don't you put that code in the application, so you don't have three competing vendors waste time trying to be the best flaky-packet-handler for $APP?

    Oh well, I guess you can ship sooner. Also, if the original developers of $APP can't get the don't-be-flaky right, we might need something to stand in front.

    (I hope this is more coherent than my feeling of well-being would suggest I'm able to make it)

    1. Re:We don't know how to do security by maxume · · Score: 3, Insightful

      It isn't just the knowing, there is also the bothering. For instance, buffer overflows and SQL injection are some of the most commonly exploited flaws in programs, and the prevention of both is well understood.

      --
      Nerd rage is the funniest rage.
  8. Re:well by ozmanjusri · · Score: 3, Insightful
    Most security products are basically after the fact. Does this surprise anyone???

    Billion dollar industries have sprung up to address flaws in Windows. Does that surprise anyone?

    As the OP says, security products are after the fact solutions. They are intended to band-aid over holes in the product they are ostensibly protecting. They can never fix the actual flaws, nor identify all of the hidden weaknesses.

    --
    "I've got more toys than Teruhisa Kitahara."
  9. Re:Two things cause security problems. by TheRaven64 · · Score: 2, Informative

    If your office door has a physical lock on it, a postit note isn't insecure

    And the cleaner, being paid minimum wage, won't be tempted to make a couple of years' salary selling the password to an unscrupulous competitor? Depends on your market and how well you vet your staff...

    I'd like to know why there's the "change your password monthy" rule?

    Cargo cultism. This one actually used to make sense, but was copied by people who didn't understand it. Passwords are stored encrypted. To reduce CPU load, they used to use very simple hashing / encryption algorithms. A month was about as long as you could guarantee that a copied password file would remain secure. This hasn't been the case for several decades, however (and on Windows systems it takes about ten minutes to decrypt the passwords, because they are (were?) stored in a very silly way).

    --
    I am TheRaven on Soylent News
  10. and that's WHY we test things by petes_PoV · · Score: 2, Insightful
    The article paints a negative picture, when in fact the opposite is true: testing works! When we test stuff we find the bugs, fix them and re-test. After a few iterations the tests are passed. What's wrong with that? As someone who's done a *lot* of testing in the past it sounds to me like the process works.

    If the testing process didn't find any problems and passed a product on the firsat attempt, I'd be more suspicious of the tests than of the product - not that I'd buy the product, either.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  11. Re:Two things cause security problems. by Eevee · · Score: 2, Interesting

    Close but no cigar. You change passwords periodically in order to limit damage. If your password is discovered by someone, then they can only exploit it until the next password change. Guess what...if you keep the same password forever, it can be exploited forever.

    Yes, there are many circumstances in which the damage from a compromised password happens immediately after the compromise. But there are times when the damage is ongoing; consider a rival company monitoring the progress of a new product via email messages accessed via a compromised password.