Saturday, March 12, 2016

Security Software Certification

I’ve been working on cleaning up some of the low hanging vulnerabilities in major security products lately. For the last two weeks, I’ve been looking at Comodo Antivirus, and have developed a reasonable understanding of how the product works and what it does. Just installing the product, I immediately noticed a few simple problems. Things like:

  • The default installation included and enabled a VNC server with weak authentication.
  • The browser installed by default disabled the same origin policy.
  • The scanning process didn’t enable ASLR.
  • Incorrect ACL’s used throughout the product.

These issues are mostly fixed now, Comodo have been responsive and are taking all of these reports seriously. Identifying these problems didn’t require any skill, there are point-and-click tools that can identify some of these problems. Then, using techniques familiar to most security professionals, I went on to find critical memory corruption flaws.

After that, I used reverse engineering to find even more serious design flaws and logic errors. Comodo aren’t alone here, it’s the same story for all the major security software vendors.

Unfortunately, I’m not doing a thorough job.  I don't have access to source code, developer documentation, symbols,  and I can’t ask the developers questions about their code. A competent security consultancy bought on-site by the vendor could do a much better job.

Still, I’m trying to clean up some of the low hanging fruit that is endangering billions of users worldwide. I don’t think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced.

While I've been working on this audit, triaging/analyzing hundreds of unique bugs, and writing vulnerability reports, I noticed that Comodo were busy working on certification from Verizon. This certification process isn’t free, and products have to follow guidelines from the certifier. It doesn’t take a genius to figure out that the testing methodology was most likely installing Comodo, then scanning a thumbdrive full of malware - but the fact is that vendors are willing to pay to make that happen and implement the guidelines they publish.

Verizon actually publish their methodology, and it’s about as ridiculous as you would expect. Requirements for “excellence” include “The Certification Candidate must include Administrative Functions to Enable and disable the Detection of Malware”, and “The Certification Candidate must demonstrate through On-Demand testing that it Detects Malware”.

These are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.

There’s no need to reinvent the wheel here, why don’t these tests simply integrate some part of Microsoft’s SDL? Many of these tests can be automated, but their results would actually be useful. For example, "Product survives 24 hours of fuzzing with zero exceptions", "All processes and modules use minimum standards for mitigations", "An attack surface analyzer report identifies no new issues", and so on. Award bonus points in some ranking for using sandboxing, and maybe we'll see the first vendor actually implement that.

Something has to change soon. The next slammer or codered isn’t going to target IIS or MSSQL: the security of Microsoft products is in a different universe than it was a decade ago. All of the major security vendors are using ancient codebases with no awareness of modern security practices, it’s still hacking like it’s 1999.


J said...

Start a certification board. Offer it for free the first 6 months.

J said...

Start a certification board. Offer it for free the first 6 months.

Monica Summers said...

Abroad, the development of standards is carried out continuously, consistently publishing versions of the standards and projects in various stages of negotiation and approval. Some standards are gradually deepened and detailed in a set of interrelated concepts and the structure of groups of standards. My friend from works with software security every day.

Lunar said...

Travis, is there an AV product or company that you would recommend over the others?

Eugene M said...

Comodo have been pushing one of their "security" tools developed to sandbox applications within compromised Windows boxes to prevent data leakage (MITM, ScreenGrabs, Keylogin, etc). It sounded too good to be true and sure enough, it took me under an hour to circumvent their "security". Yet the product is still being pushed on others and I see some large organizations purchasing tens of thousands of licenses.

There are two problems. One is that their development teams (contracted out) aren't versed in security overall. Two, 3rd party testing firms are not doing their due diligence.

What can we expect if so-called cyber security companies don't take their own security seriously? Is it reasonable to expect their products to be?

ShawnM said...

Thank you for the article!
When it comes to cloud-based services I always ask one question: "What about cyber security?". This is because if you use any service you should be aware of any possible issues. In my case, I use ideals data room secure file sharing for very important data so I can be sure my data is safe.

Aarshvi murali said...

Excellent and very cool idea and the subject at the top of magnificence and I am happy to comment on this topic through which we address the idea of positive reaction..

Ios Training in Chennai

Crystaligrig Mccraycga said...

Dear.I am very honored to introduce a external hard drive cnet

products to you,it is very useful and free,and professional technical support.THANK YOU !

Steve Hawks said...

The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers.
Software testing training| Loadrunner course in Chennai | Qtp training Chennai

Paul Miller said...

Hi admin,
I went through your blog, it’s totally awesome. Being most popular automation testing tool, selenium is used in automation software testing process.
Selenium Course in Chennai|Selenium Training in Chennai

Maani kamili said...

Really, these quotes are the holistic approach towards mindfulness. In fact, all of your posts are. Proudly saying I’m getting fruitfulness out of it what you write and share. Thank you so much to both of you.

Digital marketing company in Chennai

Dhiya L said...

I hope this information will be much helpful for many people those who are looking for the certified course. Thank you for this one and please keep update like this.

Web Designing Training in Chennai Adyar

sayhi said...

It seems great! Here are some discount ray ban sunglasses for you.

Andrew Son said...

Thank for sharing this blog of interesting information.This blog of details helped me to learn more in my personal life.please share some more information.
Selenium training in Chennai | Selenium training

Aakash Feroge said...

Wowwww... really great information. Having interesting topic. The pictorial representation helps me to easy understanding of this. Have a great idea. Thank you.
Web Designing Training in Chennai

Thulasi Raman said...

Thanks for Sharing the valuable information and thanks for sharing the wonderful article..We are glad to see such a wonderful article..
QTP Training in Chennai | QTP Training Institute in Chennai | QTP Training

Alina John said...

Smash!! After all I got the thing what I wanted for years! Ideal for each and everyone to have a relaxing session for facing crime issues!! Water Usage Monitoring Security Guards are definitely the best site I have ever seen!

Jennifer Martin said...

There are many antivirus software which are good for your computer system. But I prefer using paid antivirus software as it comes with full functionalities.

Melisa said...

Hello Admin, thank you for enlightening us with your knowledge sharing.
Qtp training |Qtp training institutes in chennai|Loadrunner course in Chennai

Satisfaction Websolution said...

Great work.Nicely presented information in this post, I prefer to read this kind of stuff.Please create more blog and i need more related to software company

Jennifer Martin said...

I do believe that free antivirus software doesn't come with full functionalities and often install some other unwanted freeware along with it. I prefer to buy paid antivirus which comes with full functionalities.

رضا رمضان said...

شركتنا من المتميزون في اعمال الاصلاح بدون هدم او تكسير من خلال شركة ركن البيت التي تقدم الكثير والكثير في عمل اللازم وتصحيح الاخطاء التي تسببها تسريبات المياه فنحن مثلا

شركة كشف تسربات المياه بجدة تقدم خدمة لعمل الاصلاح بدون اي خراب ونقدم النصيحة للعملاء بالابتعاد عن الاعمال التي تؤدي الي هذا الخراب فتعاملك مع شركة كشف تسربات بجدة لديها الخبرة الكافية تساعدك في الحفاظ علي منزلك كما اننا نتمكن في اننا سوف نرتقي بخدمة لاننا نقوم بالعمل السليم لها كما يوجد لدينا خدمات العوازل التي تمنع التسريبات من الاسقف لكم والحوائط والخزانات من خلال شركة تسمي الاولي في مجالها لذلك نحن نقدم شركة عزل خزانات بالرياض التي تعتبر في عل الخزانات الارضية من الداخل بواسطة مواد متميزة كما نقدم لكم شركة عزل اسطح بالرياض لعمل العوازل التي تمنع جميع التسريبات في الاسقف

Sanjana E said...

Nice content
best software testing training institute in velachery

Emma Johanson said...
This comment has been removed by the author.
Emma Johanson said...

I think that security sertification is very important. My team is developing entertainment apps and games and a lot of time we spent improving security moments. But, unlike other companies we are not testing it by ourselves. We're using this company to test our products.