Saturday, March 12, 2016

Security Software Certification

I’ve been working on cleaning up some of the low hanging vulnerabilities in major security products lately. For the last two weeks, I’ve been looking at Comodo Antivirus, and have developed a reasonable understanding of how the product works and what it does. Just installing the product, I immediately noticed a few simple problems. Things like:


  • The default installation included and enabled a VNC server with weak authentication.
  • The browser installed by default disabled the same origin policy.
  • The scanning process didn’t enable ASLR.
  • Incorrect ACL’s used throughout the product.


These issues are mostly fixed now, Comodo have been responsive and are taking all of these reports seriously. Identifying these problems didn’t require any skill, there are point-and-click tools that can identify some of these problems. Then, using techniques familiar to most security professionals, I went on to find critical memory corruption flaws.


After that, I used reverse engineering to find even more serious design flaws and logic errors. Comodo aren’t alone here, it’s the same story for all the major security software vendors.


Unfortunately, I’m not doing a thorough job.  I don't have access to source code, developer documentation, symbols,  and I can’t ask the developers questions about their code. A competent security consultancy bought on-site by the vendor could do a much better job.


Still, I’m trying to clean up some of the low hanging fruit that is endangering billions of users worldwide. I don’t think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced.


While I've been working on this audit, triaging/analyzing hundreds of unique bugs, and writing vulnerability reports, I noticed that Comodo were busy working on certification from Verizon. This certification process isn’t free, and products have to follow guidelines from the certifier. It doesn’t take a genius to figure out that the testing methodology was most likely installing Comodo, then scanning a thumbdrive full of malware - but the fact is that vendors are willing to pay to make that happen and implement the guidelines they publish.


Verizon actually publish their methodology, and it’s about as ridiculous as you would expect. Requirements for “excellence” include “The Certification Candidate must include Administrative Functions to Enable and disable the Detection of Malware”, and “The Certification Candidate must demonstrate through On-Demand testing that it Detects Malware”.


These are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.


There’s no need to reinvent the wheel here, why don’t these tests simply integrate some part of Microsoft’s SDL? Many of these tests can be automated, but their results would actually be useful. For example, "Product survives 24 hours of fuzzing with zero exceptions", "All processes and modules use minimum standards for mitigations", "An attack surface analyzer report identifies no new issues", and so on. Award bonus points in some ranking for using sandboxing, and maybe we'll see the first vendor actually implement that.


Something has to change soon. The next slammer or codered isn’t going to target IIS or MSSQL: the security of Microsoft products is in a different universe than it was a decade ago. All of the major security vendors are using ancient codebases with no awareness of modern security practices, it’s still hacking like it’s 1999.

85 comments:

Lunar said...

Travis, is there an AV product or company that you would recommend over the others?

Eugene M said...

Comodo have been pushing one of their "security" tools developed to sandbox applications within compromised Windows boxes to prevent data leakage (MITM, ScreenGrabs, Keylogin, etc). It sounded too good to be true and sure enough, it took me under an hour to circumvent their "security". Yet the product is still being pushed on others and I see some large organizations purchasing tens of thousands of licenses.

There are two problems. One is that their development teams (contracted out) aren't versed in security overall. Two, 3rd party testing firms are not doing their due diligence.

What can we expect if so-called cyber security companies don't take their own security seriously? Is it reasonable to expect their products to be?

ShawnM said...

Thank you for the article!
When it comes to cloud-based services I always ask one question: "What about cyber security?". This is because if you use any service you should be aware of any possible issues. In my case, I use ideals data room secure file sharing for very important data so I can be sure my data is safe.

Mirnalini Sathya said...

Excellent blog!!! Thank you for this useful information.Best QTP Training in Chennai | QTP training

.Loadrunner Course in Chennai | Loadrunner training institute in Chennai

SKARtec Digital Marketing Academy said...

Thanks for sharing this with us it is a worth read. xcellent post!!! Our Digital Marketing Training is tailored for beginners who want to learn how to stand out digitally, whether it is for their own business or a personal brand.

Digital Marketing Training in Chennai

Max Morrison said...

he product is still being pushed on others and I see some large organizations purchasing tens of thousands of licenses. Chaussures Nike Air Max
Chaussures Nike Air Max Flyknit
Chaussures Nike Air Max Tailwind
Chaussures Nike Air Max Zero

Rasool Bevi said...

Thanks for blogging about Software Testing, I hope you will post more regarding software testing, keep blogging...
Regards,
Software testing training|Software training|Software testing training in chennai

sunilkumarkuppam said...

Thanks for sharing this information and keep updating us. This is more informatics and it really helped me to know the Android.
Android Training in Chennai | Android Course in Chennai | Android Training Chennai

Claire Merrett said...

I would suggest it to every single person out there who is confronting the same issues!find out more

Neemu NA said...

Thanks for sharing useful information and keep update with us , Hi We at Colan Infotech Private Limited a
Mobile application development company in chennai,
is Situated in US and India, will provide you best service in
enterprise mobile app development company .

janu3vj said...

Thanks for the awesome share
We at Colan Infotech Private Limited best web design company in chennai,is Situated in US and India,
will provide you best service in qa testing services
Design Services and Colan Infotech has a group of exceedingly dedicated, inventive and creative experts with an energy for delivering exciting ,
helpful and stylish Web and Mobile Applications, We are one of the best software testing services company
and of course we stepped in bangalore too we are best qa and testing services
can provide quality assurance and testing services,
we are the best among the software testing company india

Vanu said...

Thanks for the awesome share
Hi we at Colan Infotech Private Limited , a company which is Situated in US and India, will provide you best service and our talented team will assure you best result and we are familiar with international markets, We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of custom application development, we are the best among the dot net development companies in Chennai asp .net web development company
We have quite an extensive experience working with asp .net development services. we are the only asp.net web development company which offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team, to achieve your dream product.Custom application development company, asp.net development companies,Hire asp .net programmers,asp.net web development services,dot net development companies in chennai Hire asp .net programmers. Here is a good resource if anyone in need of asp.net web development services
dot net development companies in chennai

Neemu NA said...

Thanks for sharing this information article
Hi we at Colan Infotech Private Limited , a company which is Situated in US and India, will provide you best service and our talented team will assure you best result and we are familiar with international markets, We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of custom application development, we are the best among the dot net development companies in Chennai . asp .net web development company We have quite an extensive experience working with asp .net development services. we are the only asp.net web development company which offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team. hire asp.net programmers to achieve your dream product.
Custom application development company, asp.net development companies, asp .net web development company,Hire asp .net programmers,asp.net web development services,dot net development companies in chennai Hire asp .net programmers/ hire asp .net developer  . We are the best asp .net development company providing top notch asp .net development services Hire asp .net programmers/ hire asp .net developer  . We are the best asp .net development company providing top notch asp .net development services.

Neemu NA said...

Hi we at Colan Infotech Private Limited , a company which is Situated in US and India, will provide you best java web service and our talented
java application development. team will assure you best result and we are familiar with international markets, We work with customers in a wide variety of sectors. Our talented team can handle all the aspects of
Java web application development,we are the best among the
Java development company.
We have quite an extensive experience working with
java development services.
we are the only Java application development company which offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team.Our pro team will provide you the best
java appliaction development services.
We are best among the
java development companies in Chennai,
please review our customer feedbacks so that you may find a clue about us. If you want one stop solution for java development outsourcing, Colan infotech is the only stop you need to step in. Colan Infotech is the unique
java web development company.were our team of unique
java application developer
were ranked top in
java enterprise application development.

Neemu NA said...

Thanks for sharing useful information article to us keep sharing this info,
Hi We at Colan Infotech Private Limited a
Mobile application development company in chennai,
is Situated in US and India, will provide you best service in
enterprise mobile app development company .
and Colan Infotech has a group of exceedingly dedicated, inventive and creative experts with an energy for delivering exciting , helpful and stylish Web and Mobile Applications, We work with customers in a wide variety of sectors.
We design all of our websites and applications using the responsive web design approach. Our talented team can handle all the aspects of mobility so we are rated as best service provider in
Mobile apps development companies in chennai.

We solidly trust that our customers start things out and there is not a viable alternative for quality of service.
We offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team. we always desire to solicit our customer's fruitful experience with us, we are the top notch
Mobile App Development Company in chennai
and mobile app development companies in Bangalore. We can provide best
mobile app development chennai .
We can provide cutting edge technology services in
Mobile application development in chennai.
Reach us for mobile app development chennai or just call us for best
mobile app developers in chennai .

Andria BZ said...

Informative post :)
Regards,
Software testing training in chennai

sunilkumarkuppam said...

This article provides the information about Java its key features and scope for java professionals. This information is really helpful me to know more about Java programming language.
Java Training in Chennai | Java Training | Java Course in Chennai

sunilkumarkuppam said...


This article is so informatic and it really helped me to know more about the Selenium Testing. This selenium article helps the beginners to learn the best training course. So keep updating the content regularly.
Selenium Training in Chennai | Best Selenium Training institute in Chennai | Selenium Course in Chennai

John Arriaga said...

Nicest information!!! I'll be enchanted to greatly help due to what I've learnt from here. Mark Hurd

Paul Miller said...


Excellent post! When you are going to update your next post, I really very excited to see your upcoming articles. So please share information with an effective content of latest technology.
Selenium Training in Chennai|Selenium Training

niyam faz said...

Awesome blogs Thanks for sharing this useful information.
asp .net web development company.
asp .net development services.
Custom application development company

Aptron said...

Thanks for posting useful information. Your Blog helps to clarify a few term for me as well as giving. Great article and interesting about it..

Embedded System Training in Delhi | Matlab Training Instiute in Delhi

Adler Eagle said...

Here at this site really the fastidious material collection so that everybody can enjoy a lot. wireless internet

John Arriaga said...

I outright point of view and revalue your repair on every objective. http://dinstrom.no

Jennifer Caleb said...

Found your blog excessively interesting indeed. I really enjoyed studying it. billig strom stromleverandorer

Daniel Ryan said...

I think this is thoroughly unparalleled. wuzzatree.com

Nitish Rana said...

Are you looking for best website to download eBook torrents for free? Then Ebook Share will be the right place. ebookshare | kovalanj

Aken Don said...

It’s really such nice information to get advantage from. Peter Roberts

Nandhini said...

Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog...Software Testing Training in Bangalore

Jennifer Caleb said...

I went over this website and I conceive you've got a large number of splendid information, http://forbrukeretaten.no/webhotell/billig-webhotell-sammenligning/

Salvador Tom said...

I’m impressed with the special and informative contents that you just offer in such short timing. atelie me

Logu christy said...

Nice blog, here I had an opportunity to learn something new in my field. I have an expectation about your future post so please keep updates...Thanks..
Big Data Analytics Training in Chennai | Dot Net Training in Chennai

Jayarajan K said...

Excellent post. very well explained neatly.
online aptitude training | learn core java online | MBA in marketing management | MBA in event management | Big data analytics training | Big data for beginners | annamalai university distance education mba | Analytics courses

sunilkumarkuppam said...

This article provides the information about Java its key features and scope for java professionals. This information is really helpful me to know more about Java programming language. Java Training in Chennai | Java Training | Java Course in Chennai

sunilkumarkuppam said...


This article is more interesting and content is really useful to me. Keep updating the content regularly and this software testing content is helped to know more detailed.Software testing training in Chennai | Software testing training | testing training in Chennai

Tanya said...

Training of software training

sunilkumarkuppam said...

This article is so informatic and it really helped me to know more about the Selenium Testing. This selenium article helps the beginners to learn the best training course. So keep updating the content regularly.
Selenium Training in Chennai | Selenium Training institutes in Chennai | Best Selenium Course in Chennai

Tanya said...

This article provides the information

SAP training

Logu christy said...

Thanks for sharing your informative article. The information about the selenium is really much more informative...Keep in blogging regularly..
Web Designing Training in Chennai | Python Training in Chennai

jhansi joe said...

Thanks for your informative article. Your pose helped me a lot to under the future in .Net mobile application development. DOT NET Training in Chennai

Sanjana E said...

Secure Software certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common programming errors that lead to most security problems.
Software testing selenium training in Chennai

Aken Don said...

This matter is down to earth, hats off buds out there. amit kort

Ramya Krishnan said...

Thanks a lot, very much informative article, it is really useful. keep sharing more blogs.
Selenium Training

AngelaMetz said...

A useful article, especially for people who understand little of this. I once did not understand anything about this, and then I ran into viruses on my PC. Now I have found a good antivirus for myself https://yumdownload.com/comodo-internet-security. One major difference from many, you do not need to configure it, so that it works correctly.

Jenny Hayes said...

I am certain this article has touched all the web visitors; it’s very extremely lovely script. Jake Pandamanda

raj kumar said...

Nice blog for learning certification courses. We Besant Technologies offer best training for all the software courses. I share our course website that will help you to learn the basic. Best of luck..,

Hadoop Training in Bangalore

Selenium Training in Bangalore


Amar G said...

veryniceblog

Ramya Krishnan said...

Thanks for Sharing valuable article, very impressive and understandable, once again thank and all the best.
Software Testing Training in chennai |Software Testing Training in velachery

Ultimate Webdesigns said...

Security is the big part of software department and for a professional company security system is must for their work on any project or using any software app. You can visit on the best web design company for web services. Web Design Company Auckland

Krishna Veni said...

Very impressive, Nice blog, Thanks for sharing your info, very easy to understand and really helpful for me.
Java Training in velachery | Java Training institute in velachery

Nancy Garero said...

Just because of their popularity and effective features of the SAP system it will become very common tools for every business firm. The business owner use this SAP tools for controlling the company and making he decision quickly and the current time of problem occurring. You will get this syset easily for you by visiting this https://twbs.com/.

raj kumar said...

Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog.


Selenium Training in Bangalore

Melba henry said...

I really enjoyed while reading your article, the information you have delivered in this post was damn good.Keep update...
Selenium Training in Chennai | Software Testing Training in Chennai

Azar Spadrow said...

Great post.first of all Thanks for writing such lovely Post! Earlier I thought that posts are the only most important thing on any blog.Thanks for sharing..
Big Data Analytics Training in Chennai | Java Training in Chennai

Priya B said...

Great and nice blog thanks sharing..I just want to say that all the information you have given here is awesome...
Software Training institute in Velachery
PHP Training in Velachery

caroline jesi said...

Explanation was crystal clear & I am planning to do security software certification with your organization, keep sharing more
Regards,
Android Training|Android Training in Chennai|iOS Training in Chennai

Rajasekar L said...

Thank you for sharing such a nice and interesting blog with us. Hope it might be much useful for us. keep on updating...!!
Freshers Jobs
Freshers Jobs in Chennai

jhansi joe said...

In near future, big data handling and processing is going to the future of IT industry. Thus taking Hadoop Training in Chennai | Big Data Training in Chennai will prove beneficial for talented professionals.

Amirtha rao said...

Excellent article on load testing!!! This testing exhibits the ability of a software application/system to withstand actual load. Loadrunner Training in Chennai | Best Loadrunner training institute in Chennai|Qtp training institutes in chennai

Anoushka said...

It is natural to make mistake while developing your application as a developer.

Keep updating more knowledge on Software testing. Selenium is the best automation

testing tool to test any application.

Selenium Training in chennai |
Selenium Course in Chennai

abril joseph said...

The Besant Technologies is good at providing placements for students with good packages. It is one of the best institute in Chennai. Software Testing Training in Chennai |
Selenium Training in Chennai |

Michael said...

Hey, thanks for sharing this informative post. From last few days I am browsing about software’s testing and collecting information but now I think my search come to an end. It is really a great post to read out looking forward to read more from you.software customer training

abril joseph said...

Authorized Pearson VUE Test Centre for Bangalore.

Authorized Pearson VUE Test Centre for Microsoft, Adobe, HP, VMware, Cisco, Oracle, COMPTIA, Pegasystems and more international certification examinations in Bangalore.

We are an Authorized Castle Exam Test Center in Bangalore .Kindly click on the below link to download the list of Certification testing programs offered through Castle Exam Test Center.

We provide Pearson VUE Certification Exam testing in Bangalore . We also have the facility to provide Pearson VUE certification exam testing at your location anywhere in India through our mobile certification testing unit.

Please fill-in the enquiry form to know more about our International Certification Exam Testing services and to register your interest to take a Castle or a Pearson VUE certification examination in Bangalore.
Pearson Vue Exam Center in Bangalore |
Pearson Vue Exam Centers in Bangalore |

Nandhini said...

You made some good points there. I did a search on the topic and found most people will agree with your blog.
Hadoop Training in Chennai

Jenifer Hayes said...

I sent your articles links to all my contacts and they all adore it including me.
venture funding

kanaga vinothkumar said...

Awesome blog thanks for sharing.
Hadoop Training in Chennai

Richard Rey said...

You entirely go with our expectation and the range of our information.
aplikasi judi online

mind.it said...

Is it alright to post a portion of this on my site fundamentally present a hyperlink on this site page? quality assurance software testing 

Jennifer Caleb said...

Refines the guidelines for resetting benistar ACO benchmarks to assist ensure that the plan continues to supply strong incentives with regard to ACOs to enhance individual care as well as generate financial savings, as well as declares CMS’ intention to suggest further improvements to the benchmarking methodology…

Abarna Baskar said...

Really nice informative article... Wish to learn all types of certification courses, reach Best Software Training Institute in Velachery or enroll you in Login to learn all certification courses at the low cost.

Ezhilarasu L said...

Thanks for sharing this with us it is a worth read. xcellent post!!! Our Digital Marketing Training is tailored for beginners who want to learn how to stand out digitally, whether it is for their own business or a personal brand.
PHP Training Institute in Chennai

varshini devi said...

Thanks for sharing and keep updating such post. Beautiful said! Wishing to learn course.
Hadoop Training in Chennai
Hadoop Training Chennai

nishanth said...

Very Interesting information and details:
Devops Training in Bangalore
itEanz

Unknown said...

very nice blog python training in bangalore

Unknown said...

Great information. Thank you for sharing

Unknown said...

Very nice post. Awesome article... Really helpful

Emma Olivia said...

Nice Blog.

Best Web Development Company In India

I. Aswin Karthick said...

Thank you very useful java training in chennai struts training in chennai

sobiga J said...

Thank you !! Amazing Write Up !!
Robotics training in chennai
Php training in chennai
Ieee electrical projects in chennai
Final year java projects chennai
Digital marketing company in chennai
Chennai to Tirupati Package cheap and best travels
Chennai car rental outstation




Melisa said...

Thanks for your informative article. Java is most popular programming language used for creating rich enterprise, desktop and web applications. Keep on updating your blog with such informative post. J2EE Training in Chennai | JAVA Training in Chennai|

for IT the said...

Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java Online Training India . Nowadays Java has tons of job opportunities on various vertical industry.

Unknown said...

usefull article. Thanks for sharing

shalu said...

Your post about technology was very helpful to me. Very clear step-by-step instructions. I appreciate your hard work and thanks for sharing.
Selenium Training in Chennai
Selenium Course in Chennai
Selenium Training

Salman said...

Thank you !! Very usefull !! final year matlab projects chennai ieee dot net projects chennai asp dot net training in chennai Mysql training in chennai

Salman said...

Thank you !! Very usefull !! final year matlab projects chennai ieee dot net projects chennai asp dot net training in chennai Mysql training in chennai