Saturday, March 12, 2016

Security Software Certification

I’ve been working on cleaning up some of the low hanging vulnerabilities in major security products lately. For the last two weeks, I’ve been looking at Comodo Antivirus, and have developed a reasonable understanding of how the product works and what it does. Just installing the product, I immediately noticed a few simple problems. Things like:


  • The default installation included and enabled a VNC server with weak authentication.
  • The browser installed by default disabled the same origin policy.
  • The scanning process didn’t enable ASLR.
  • Incorrect ACL’s used throughout the product.


These issues are mostly fixed now, Comodo have been responsive and are taking all of these reports seriously. Identifying these problems didn’t require any skill, there are point-and-click tools that can identify some of these problems. Then, using techniques familiar to most security professionals, I went on to find critical memory corruption flaws.


After that, I used reverse engineering to find even more serious design flaws and logic errors. Comodo aren’t alone here, it’s the same story for all the major security software vendors.


Unfortunately, I’m not doing a thorough job.  I don't have access to source code, developer documentation, symbols,  and I can’t ask the developers questions about their code. A competent security consultancy bought on-site by the vendor could do a much better job.


Still, I’m trying to clean up some of the low hanging fruit that is endangering billions of users worldwide. I don’t think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced.


While I've been working on this audit, triaging/analyzing hundreds of unique bugs, and writing vulnerability reports, I noticed that Comodo were busy working on certification from Verizon. This certification process isn’t free, and products have to follow guidelines from the certifier. It doesn’t take a genius to figure out that the testing methodology was most likely installing Comodo, then scanning a thumbdrive full of malware - but the fact is that vendors are willing to pay to make that happen and implement the guidelines they publish.


Verizon actually publish their methodology, and it’s about as ridiculous as you would expect. Requirements for “excellence” include “The Certification Candidate must include Administrative Functions to Enable and disable the Detection of Malware”, and “The Certification Candidate must demonstrate through On-Demand testing that it Detects Malware”.


These are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.


There’s no need to reinvent the wheel here, why don’t these tests simply integrate some part of Microsoft’s SDL? Many of these tests can be automated, but their results would actually be useful. For example, "Product survives 24 hours of fuzzing with zero exceptions", "All processes and modules use minimum standards for mitigations", "An attack surface analyzer report identifies no new issues", and so on. Award bonus points in some ranking for using sandboxing, and maybe we'll see the first vendor actually implement that.


Something has to change soon. The next slammer or codered isn’t going to target IIS or MSSQL: the security of Microsoft products is in a different universe than it was a decade ago. All of the major security vendors are using ancient codebases with no awareness of modern security practices, it’s still hacking like it’s 1999.

16 comments:

Lunar said...

Travis, is there an AV product or company that you would recommend over the others?

Eugene M said...

Comodo have been pushing one of their "security" tools developed to sandbox applications within compromised Windows boxes to prevent data leakage (MITM, ScreenGrabs, Keylogin, etc). It sounded too good to be true and sure enough, it took me under an hour to circumvent their "security". Yet the product is still being pushed on others and I see some large organizations purchasing tens of thousands of licenses.

There are two problems. One is that their development teams (contracted out) aren't versed in security overall. Two, 3rd party testing firms are not doing their due diligence.

What can we expect if so-called cyber security companies don't take their own security seriously? Is it reasonable to expect their products to be?

ShawnM said...

Thank you for the article!
When it comes to cloud-based services I always ask one question: "What about cyber security?". This is because if you use any service you should be aware of any possible issues. In my case, I use ideals data room secure file sharing for very important data so I can be sure my data is safe.

Mirnalini Sathya said...

Excellent blog!!! Thank you for this useful information.Best QTP Training in Chennai | QTP training

.Loadrunner Course in Chennai | Loadrunner training institute in Chennai

SKARtec Digital Marketing Academy said...

Thanks for sharing this with us it is a worth read. xcellent post!!! Our Digital Marketing Training is tailored for beginners who want to learn how to stand out digitally, whether it is for their own business or a personal brand.

Digital Marketing Training in Chennai

Max Morrison said...

he product is still being pushed on others and I see some large organizations purchasing tens of thousands of licenses. Chaussures Nike Air Max
Chaussures Nike Air Max Flyknit
Chaussures Nike Air Max Tailwind
Chaussures Nike Air Max Zero

Rasool Bevi said...

Thanks for blogging about Software Testing, I hope you will post more regarding software testing, keep blogging...
Regards,
Software testing training|Software training|Software testing training in chennai

sunilkumarkuppam said...

Thanks for sharing this information and keep updating us. This is more informatics and it really helped me to know the Android.
Android Training in Chennai | Android Course in Chennai | Android Training Chennai

Claire Merrett said...

I would suggest it to every single person out there who is confronting the same issues!find out more

Neemu NA said...

Thanks for sharing useful information and keep update with us , Hi We at Colan Infotech Private Limited a
Mobile application development company in chennai,
is Situated in US and India, will provide you best service in
enterprise mobile app development company .

janu3vj said...

Thanks for the awesome share
We at Colan Infotech Private Limited best web design company in chennai,is Situated in US and India,
will provide you best service in qa testing services
Design Services and Colan Infotech has a group of exceedingly dedicated, inventive and creative experts with an energy for delivering exciting ,
helpful and stylish Web and Mobile Applications, We are one of the best software testing services company
and of course we stepped in bangalore too we are best qa and testing services
can provide quality assurance and testing services,
we are the best among the software testing company india

Vanu said...

Thanks for the awesome share
Hi we at Colan Infotech Private Limited , a company which is Situated in US and India, will provide you best service and our talented team will assure you best result and we are familiar with international markets, We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of custom application development, we are the best among the dot net development companies in Chennai asp .net web development company
We have quite an extensive experience working with asp .net development services. we are the only asp.net web development company which offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team, to achieve your dream product.Custom application development company, asp.net development companies,Hire asp .net programmers,asp.net web development services,dot net development companies in chennai Hire asp .net programmers. Here is a good resource if anyone in need of asp.net web development services
dot net development companies in chennai

Neemu NA said...

Thanks for sharing this information article
Hi we at Colan Infotech Private Limited , a company which is Situated in US and India, will provide you best service and our talented team will assure you best result and we are familiar with international markets, We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of custom application development, we are the best among the dot net development companies in Chennai . asp .net web development company We have quite an extensive experience working with asp .net development services. we are the only asp.net web development company which offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team. hire asp.net programmers to achieve your dream product.
Custom application development company, asp.net development companies, asp .net web development company,Hire asp .net programmers,asp.net web development services,dot net development companies in chennai Hire asp .net programmers/ hire asp .net developer  . We are the best asp .net development company providing top notch asp .net development services Hire asp .net programmers/ hire asp .net developer  . We are the best asp .net development company providing top notch asp .net development services.

Neemu NA said...

Hi we at Colan Infotech Private Limited , a company which is Situated in US and India, will provide you best java web service and our talented
java application development. team will assure you best result and we are familiar with international markets, We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of
Java web application development,we are the best among the
Java development company.
We have quite an extensive experience working with
java development services.
we are the only Java application development company which offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team.Our pro team will provide you the best
java appliaction development services.
We are best among the
java development companies in Chennai,
please review our customer feedbacks so that you may find a clue about us. If you want one stop solution for java development outsourcing, Colan infotech is the only stop you need to step in. Colan Infotech is the unique
java web development company.were our team of unique
java application developer
were ranked top in
java enterprise application development.

Neemu NA said...

Thanks for sharing useful information article to us keep sharing this info,
Hi We at Colan Infotech Private Limited a
Mobile application development company in chennai,
is Situated in US and India, will provide you best service in
enterprise mobile app development company .
and Colan Infotech has a group of exceedingly dedicated, inventive and creative experts with an energy for delivering exciting , helpful and stylish Web and Mobile Applications, We work with customers in a wide variety of sectors.
We design all of our websites and applications using the responsive web design approach. Our talented team can handle all the aspects of mobility so we are rated as best service provider in
Mobile apps development companies in chennai.

We solidly trust that our customers start things out and there is not a viable alternative for quality of service.
We offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team. we always desire to solicit our customer's fruitful experience with us, we are the top notch
Mobile App Development Company in chennai
and mobile app development companies in Bangalore. We can provide best
mobile app development chennai .
We can provide cutting edge technology services in
Mobile application development in chennai.
Reach us for mobile app development chennai or just call us for best
mobile app developers in chennai .

Andria BZ said...

Informative post :)
Regards,
Software testing training in chennai