Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Security Products Fail To Perform

Posted by CmdrTaco on from the ninety-percent-of-everything-is-crap dept.

An anonymous reader writes "Nearly 80 percent of security products fail to perform as intended when first tested and generally require two or more cycles of testing before achieving certification, according to a new ICSA Labs report that details lessons gleaned from testing thousands of security products over 20 years. Across seven product categories core product functionality accounted for 78 percent of initial test failures. For example, an anti-virus product failing to prevent infection and for firewalls or an IPS product not filtering malicious traffic. Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability."

11 of 99 comments (clear)

  1. Most security products fail to perform by mjwx · · Score: 4, Funny

    Maybe they're nervous?

    I mean you put them under a lot of pressure to perform and chastise them harshly when they fail to meet your expectations.

    Perhaps you should mix them a nice drink, use some mood lighting and tell them you love them once in a while. It's not just about you after all.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  2. This just in! by L4t3r4lu5 · · Score: 3, Insightful

    New devices and software may have bugs which affect performance. Patches may be required for correct performance when exposed to unexpected conditions.

    Is security software supposed to be automagically immune to human error? Or is this another "Coders aren't employing secure coding practices" piece I've been reading for well over 3 years. "Validate your inputs" "check loops exit under all circumstances" etc etc. Woo. Insightful this ain't.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
    1. Re:This just in! by mcgrew · · Score: 5, Insightful

      Woo. Insightful this ain't.

      Mods, please don't mod that uninsightful coment "insightful". Having a defect in a device I've bought has been extremely rare, buying anything from toasters to TV sets to video cards that just don't work is unheard of. Don't talk to me about the "complexity" of writing software, you think you car is simple?

      If your software is buggy your company is incompetent. Period. We as customers shoud stop putting up with defective products and beta sofware that's been rolled out as a "finished product." If I find your software doesn't perform, I should get my money back.

      People, can we please stop putting up with incompetents' excuses? After a quarter of a century of putting my up with your crap software I'm getting a little tired of it.

      --
      Free Martian Whores!
    2. Re:This just in! by Thanshin · · Score: 3, Insightful

      you think you car is simple?

      Car analogy to the rescue!

      Let's imagine you're a car builder capable of building cars with the current expected quality.

      Let's now imagine your competition builds and sells defective cars for half your costs. For whatever reason, the buyer will buy the half cost faulty car and then repair it until it finally works, rather than buying your "perfect on release" car.

      What do you do?

    3. Re:This just in! by RichardJenkins · · Score: 4, Insightful

      Your car may be complex, but it has relatively few ways for the user to interact with, and is likely always used in the same environment, and fundamentally the same to most every other car on the road. It's been done. Lots.

      This goes doubly for your TV and even more for your toaster.

      Are you saying software bugs needn't exist because mechanical and electrical engineering can be done so well? That's asinine.

      And last I checked, most cars can still crash.

  3. Security is a process not a product by Afforess · · Score: 4, Insightful

    There is no such thing as security. You can become more secure, but never absolutelysecure. Security is a process, not a product. The moment we realize this, most of these problems go away.

    Instead of looking for the "silver bullet" in the form of a anti-virus software, you should be using anti-virus in conjunction with Firewalls, the latest patches for your OS, and safe browsing habits. After all, I would bet that 9/10 viruses come in the form of human error rather than the case of a malicious hacker trying to force entry to your system.

    --
    If our elected representatives no longer represent us, do we still live in a Democracy?
  4. And in related news... by fuzzyfuzzyfungus · · Score: 3, Funny

    The TSA has issued a press release calling their performance "In line with industry standard private sector security solutions"...

  5. Talk about devaluing security by Anonymous Coward · · Score: 3, Insightful

    This report is not good news. While ICSA is promoting the need for certified security products, it may do more to convince security managers that they've been getting ripped off. This is what Larry Walsh writes in his blog: http://blogs.channelinsider.com/secure_channel/content/analysis/80_of_security_fail_to_meet_performance_expectations.html

  6. Confidentiality Integrity Availability. by Dr.+Evil · · Score: 4, Insightful

    This all sounds like security certification speak.

    Among the recommendations from the article: "Use certified products. While certification can never eliminate risk, it substantially reduces risk by ensuring that products meet objective, publicly vetted criteria."

    This shouldn't be on Slashdot. We all know that the best software tools are FOSS, subject to the most rigourous testing and peer review. "Certified Products" are a black box with a "Trust us" next to a logo for a "Limited Liability Coproration."

    The article should be lumped in with the Gartner reports and marketing materials.

  7. Re:We don't know how to do security by maxume · · Score: 3, Insightful

    It isn't just the knowing, there is also the bothering. For instance, buffer overflows and SQL injection are some of the most commonly exploited flaws in programs, and the prevention of both is well understood.

    --
    Nerd rage is the funniest rage.
  8. Re:well by ozmanjusri · · Score: 3, Insightful
    Most security products are basically after the fact. Does this surprise anyone???

    Billion dollar industries have sprung up to address flaws in Windows. Does that surprise anyone?

    As the OP says, security products are after the fact solutions. They are intended to band-aid over holes in the product they are ostensibly protecting. They can never fix the actual flaws, nor identify all of the hidden weaknesses.

    --
    "I've got more toys than Teruhisa Kitahara."