Saturday, March 12, 2016

Security Software Certification

I’ve been working on cleaning up some of the low hanging vulnerabilities in major security products lately. For the last two weeks, I’ve been looking at Comodo Antivirus, and have developed a reasonable understanding of how the product works and what it does. Just installing the product, I immediately noticed a few simple problems. Things like:


  • The default installation included and enabled a VNC server with weak authentication.
  • The browser installed by default disabled the same origin policy.
  • The scanning process didn’t enable ASLR.
  • Incorrect ACL’s used throughout the product.


These issues are mostly fixed now, Comodo have been responsive and are taking all of these reports seriously. Identifying these problems didn’t require any skill, there are point-and-click tools that can identify some of these problems. Then, using techniques familiar to most security professionals, I went on to find critical memory corruption flaws.


After that, I used reverse engineering to find even more serious design flaws and logic errors. Comodo aren’t alone here, it’s the same story for all the major security software vendors.


Unfortunately, I’m not doing a thorough job.  I don't have access to source code, developer documentation, symbols,  and I can’t ask the developers questions about their code. A competent security consultancy bought on-site by the vendor could do a much better job.


Still, I’m trying to clean up some of the low hanging fruit that is endangering billions of users worldwide. I don’t think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced.


While I've been working on this audit, triaging/analyzing hundreds of unique bugs, and writing vulnerability reports, I noticed that Comodo were busy working on certification from Verizon. This certification process isn’t free, and products have to follow guidelines from the certifier. It doesn’t take a genius to figure out that the testing methodology was most likely installing Comodo, then scanning a thumbdrive full of malware - but the fact is that vendors are willing to pay to make that happen and implement the guidelines they publish.


Verizon actually publish their methodology, and it’s about as ridiculous as you would expect. Requirements for “excellence” include “The Certification Candidate must include Administrative Functions to Enable and disable the Detection of Malware”, and “The Certification Candidate must demonstrate through On-Demand testing that it Detects Malware”.


These are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.


There’s no need to reinvent the wheel here, why don’t these tests simply integrate some part of Microsoft’s SDL? Many of these tests can be automated, but their results would actually be useful. For example, "Product survives 24 hours of fuzzing with zero exceptions", "All processes and modules use minimum standards for mitigations", "An attack surface analyzer report identifies no new issues", and so on. Award bonus points in some ranking for using sandboxing, and maybe we'll see the first vendor actually implement that.


Something has to change soon. The next slammer or codered isn’t going to target IIS or MSSQL: the security of Microsoft products is in a different universe than it was a decade ago. All of the major security vendors are using ancient codebases with no awareness of modern security practices, it’s still hacking like it’s 1999.

234 comments:

«Oldest   ‹Older   201 – 234 of 234
Yogi John said...

Hi, Your post is quite great to view and an easy way to grab the extra knowledge. WordPress training in Noida

sumathi s said...

Existing without the answers to the difficulties you’ve sorted out through this guide is a critical case, as well as the kind which could have badly affected my entire career if I had not discovered your website
fire and safety course in chennai

Swetha Gauri said...

I just needed to record a speedy word to express profound gratitude to you for those magnificent tips and clues you are appearing on this site.nebosh course in chennai

Apsara G said...

Interesting blog post. This blog shows that you have a great future as a content writer. Waiting for more updates... Java Training in Chennai | Pega Training in Chennai

john jersy said...

It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
python training in pune
python training institute in chennai
python training in Bangalore

svrtechnologies said...

Thanks for sharing such an informative blog. I have read your blog and I gathered some needful information from your post. Keep updating your blog. Awaiting for your next update. mq training

shethal said...

Read all the information that i've given in above article. It'll give u the whole idea about it.
Devops training in sholinganallur
Devops training in velachery
Devops training in annanagar
Devops training in tambaram

shethal said...

Your good knowledge and kindness in playing with all the pieces were very useful. I don’t know what I would have done if I had not encountered such a step like this.
Devops training in sholinganallur
Devops training in velachery
Devops training in annanagar
Devops training in tambaram

BITA Academy said...

Great Article, Keep Updating
Software Training in Chennai
https://bitaacademy.com/

w3 Webschool said...

Thanks for the valuable information and insights you have so provided here... SEO Training

Apsara G said...

Really very informative and creative contents. These concept is a good way to enhance the knowledge. Java Training in Chennai | RPA Training in Chennai

Veelead Solutions Private Limited said...

Thanks for sharing this useful information.. visit our sharepoint page if you wish

Amar G said...

Selenium is one of the most popular automated testing tool used to automate various types of applications. Selenium is a package of several testing tools designed in a way for to support and encourage automation testing of functional aspects of web-based applications and a wide range of browsers and platforms and for the same reason, it is referred to as a Suite.

Selenium Interview Questions and Answers
Javascript Interview Questions
Human Resource (HR) Interview Questions

sumathi s said...

It has been just unfathomably liberal with you to give straightforwardly what precisely numerous people would've promoted for an eBook to wind up making some money for their end, basically given that you could have attempted it in the occasion you needed.offshore safety course in chennai

Swetha Gauri said...

Expected to form you a next to no word to thank you once more with respect to the decent recommendations you've contributed here.offshore safety course in chennai

sasha asha said...

Oh what a post.. I get many unique informations from the blog.. keep sharing this type of unique informations. best dotnet training in chennai|dotnet training center in chennai|dotnet training institute in chennai

Anbarasan14 said...

This was helpful to me thanks for sharing this useful information. Kindly continue the work.

TOEFL Coaching in Ambattur
TOEFL Training in Avadi
TOEFL Centres in Maduravoyal
Best TOEFL Coaching Institute in Ambattur
TOEFL Coaching Classes in Ambattur Estate
TOEFL Training in Thirumangalam
TOEFL Course in Redhills

Unknown said...

Great Post Really useful and informative Article.

IT Software Training Institute in Chennai | Cloud Computing Training Chennai | AR Augmented Reality Training Chennai

sumathi s said...

Expected to form you a next to no word to thank you once more with respect to the decent recommendations you've contributed here.occupational health and safety course in chennai

Swetha Gauri said...

It is really a great work and the way in which you are sharing the knowledge is excellent. Thanks for your informative article
nebosh course in chennai

Unknown said...

myTectra a global learning solutions company helps transform people and organization to gain real, lasting benefits.Join Today.Ready to Unlock your Learning Potential !Read More

Regu said...

Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

Python training in electronic city

Data science with python training in electronic city

AWS training in electronic city

Big data hadoop training in electronic city

Devops training in electronic city

Selenium training in electronic

Java Training in electronic city

Angular JS Training in electronic city

RPA Training in electronic city

Machine Learning Training in electronic city

Rawal Singh said...

Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

Python training in electronic city

Data science with python training in electronic city

AWS training in electronic city

Big data hadoop training in electronic city

Devops training in electronic city

Selenium training in electronic

Java Training in electronic city

Angular JS Training in electronic city

RPA Training in electronic city

Machine Learning Training in electronic city

Rawal Singh said...

Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

Python training in electronic city

Data science with python training in electronic city

AWS training in electronic city

Big data hadoop training in electronic city

Devops training in electronic city

Selenium training in electronic

Java Training in electronic city

Angular JS Training in electronic city

RPA Training in electronic city

Machine Learning Training in electronic city

Rawal Singh said...

Its very nice post and good informative also. Keep blogging and Im reading most of your blogs

Python training in electronic city

Data science with python training in electronic city

AWS training in electronic city

Big data hadoop training in electronic city

Devops training in electronic city

Selenium training in electronic

Java Training in electronic city

Angular JS Training in electronic city

RPA Training in electronic city

Machine Learning Training in electronic city

Rawal Singh said...

Its very nice post and good informative also. Keep blogging and Im reading most of your blogs

Python training in electronic city

Data science with python training in electronic city

AWS training in electronic city

Big data hadoop training in electronic city

Devops training in electronic city

Selenium training in electronic

Java Training in electronic city

Angular JS Training in electronic city

RPA Training in electronic city

Machine Learning Training in electronic city

Rawal Singh said...

Its very nice post and good informative also. Keep blogging and Im reading most of your blogs

Python training in electronic city

Data science with python training in electronic city

AWS training in electronic city

Big data hadoop training in electronic city

Devops training in electronic city

Selenium training in electronic

Java Training in electronic city

Angular JS Training in electronic city

RPA Training in electronic city

Machine Learning Training in electronic city

Dhiraj said...

I believe this is one of the such a lot vital information for me.ECM Services

Eminent It Info said...

I have read your blog its very attractive and impressive. I like it your blog.
data science training in bangalore | AWS training in Marathahalli Bangalore | Microsoft Azure training in Marathahalli Bangalore

w3 Webschool said...

Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating.
Web Design Training

john kevin said...

Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

rpa interview questions and answers
automation anywhere interview questions and answers
blueprism interview questions and answers
uipath interview questions and answers
rpa training in chennai

john kevin said...

Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

rpa interview questions and answers
automation anywhere interview questions and answers
blueprism interview questions and answers
uipath interview questions and answers
rpa training in chennai

Anjali Siva said...

Wonderful post. Thanks for taking time to share this information with us.
Best Angularjs Training in Chennai
Angular 6 Training in Chennai
Angular 5 Training in Chennai
RPA Training in Chennai
Angularjs Training in Chennai
AWS Training in Chennai

Ananya Krishnan said...

Good job in presenting the correct content with the clear explanation. The content looks real with valid information. Good Work

DevOps is currently a popular model currently organizations all over the world moving towards to it. Your post gave a clear idea about knowing the DevOps model and its importance.

Good to learn about DevOps at this time.


devops training in chennai | devops training in chennai with placement | devops training in chennai omr | devops training in velachery | devops training in chennai tambaram | devops institutes in chennai | devops certification in chennai

«Oldest ‹Older   201 – 234 of 234   Newer› Newest»