Académique Documents
Professionnel Documents
Culture Documents
Who do you turn to when your security product becomes a gateway for attackers?
Security Products are present in most of the systems and theoretically can become a high pay-off target for hackers after the OS, Browsers etc. At iViZ we wanted to study how secure are the security products iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD) for the Analysis
www.ivizsecurity.com
How are security vendors doing in terms of protecting their own products?
More recently, hackers have claimed to be in possession of the source code for Symantec's PC anywhere tool and Norton antivirus.
www.ivizsecurity.com
www.ivizsecurity.com
2000
1000 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
www.ivizsecurity.com
Figure 2
VPN
IDS/IPS
Firewall
Anti-Virus
www.ivizsecurity.com
10
20
30
40
50
60
70
80
www.ivizsecurity.com
www.ivizsecurity.com
Figure 6: Shows number of vulnerabilities found in some of the major security products existing today. X axis display number of vulnerabilities and Y axis display some of the major security products. Total vulnerabilities against each security product are calculated by considering all the versions of the products and their individual vulnerabilities discovered over the past years.
www.ivizsecurity.com
10
SQL Injection 0% XSS Buffer Errors Access Control Input Validation Code Injection Resource Management Errors Path Traversal 13% 11% 4% Information Leak Numeric Errors Authentication Issues 19% 3% 4% 5% 0% 1% 2% 1% 2% 5% 10% 0%
SQL Injection XSS Buffer Errors Access Control Input Validation 19% Code Injection Resource Management Errors Path Traversal Information Leak Numeric Errors Authentication Issues
2%
1%
8%
9%
www.ivizsecurity.com
11
Conclusion
The two largest threats to security product vendors/developers are : The Black 0-Day Market Cyber Warfare
Vulnerabilities are as common in security products as they are in non security products. As per the Global Risk 2012 report, the cost of each cyber crime is 5.9 million USD and likely to grow. There is no foolproof solution to mitigate Cyber Warfare Attacks, but we can take suitable measures to ensure security is itself more secure in the future.
www.ivizsecurity.com
12
Some thoughts..
Security Products are High Pay-off targets since they are present in most systems
APT and Cyber-warfare makes Security Products as the next choice
www.ivizsecurity.com
13
Are you sure if your web-application is Secure? Check out our Cloud based Penetration Testing solution with Zero False Positive Guarantee : www.ivizsecurity.com
Thank you
14