Saturday, March 12, 2016

Security Software Certification

I’ve been working on cleaning up some of the low hanging vulnerabilities in major security products lately. For the last two weeks, I’ve been looking at Comodo Antivirus, and have developed a reasonable understanding of how the product works and what it does. Just installing the product, I immediately noticed a few simple problems. Things like:


  • The default installation included and enabled a VNC server with weak authentication.
  • The browser installed by default disabled the same origin policy.
  • The scanning process didn’t enable ASLR.
  • Incorrect ACL’s used throughout the product.


These issues are mostly fixed now, Comodo have been responsive and are taking all of these reports seriously. Identifying these problems didn’t require any skill, there are point-and-click tools that can identify some of these problems. Then, using techniques familiar to most security professionals, I went on to find critical memory corruption flaws.


After that, I used reverse engineering to find even more serious design flaws and logic errors. Comodo aren’t alone here, it’s the same story for all the major security software vendors.


Unfortunately, I’m not doing a thorough job.  I don't have access to source code, developer documentation, symbols,  and I can’t ask the developers questions about their code. A competent security consultancy bought on-site by the vendor could do a much better job.


Still, I’m trying to clean up some of the low hanging fruit that is endangering billions of users worldwide. I don’t think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced.


While I've been working on this audit, triaging/analyzing hundreds of unique bugs, and writing vulnerability reports, I noticed that Comodo were busy working on certification from Verizon. This certification process isn’t free, and products have to follow guidelines from the certifier. It doesn’t take a genius to figure out that the testing methodology was most likely installing Comodo, then scanning a thumbdrive full of malware - but the fact is that vendors are willing to pay to make that happen and implement the guidelines they publish.


Verizon actually publish their methodology, and it’s about as ridiculous as you would expect. Requirements for “excellence” include “The Certification Candidate must include Administrative Functions to Enable and disable the Detection of Malware”, and “The Certification Candidate must demonstrate through On-Demand testing that it Detects Malware”.


These are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.


There’s no need to reinvent the wheel here, why don’t these tests simply integrate some part of Microsoft’s SDL? Many of these tests can be automated, but their results would actually be useful. For example, "Product survives 24 hours of fuzzing with zero exceptions", "All processes and modules use minimum standards for mitigations", "An attack surface analyzer report identifies no new issues", and so on. Award bonus points in some ranking for using sandboxing, and maybe we'll see the first vendor actually implement that.


Something has to change soon. The next slammer or codered isn’t going to target IIS or MSSQL: the security of Microsoft products is in a different universe than it was a decade ago. All of the major security vendors are using ancient codebases with no awareness of modern security practices, it’s still hacking like it’s 1999.

23 comments:

Lunar said...

Travis, is there an AV product or company that you would recommend over the others?

Eugene M said...

Comodo have been pushing one of their "security" tools developed to sandbox applications within compromised Windows boxes to prevent data leakage (MITM, ScreenGrabs, Keylogin, etc). It sounded too good to be true and sure enough, it took me under an hour to circumvent their "security". Yet the product is still being pushed on others and I see some large organizations purchasing tens of thousands of licenses.

There are two problems. One is that their development teams (contracted out) aren't versed in security overall. Two, 3rd party testing firms are not doing their due diligence.

What can we expect if so-called cyber security companies don't take their own security seriously? Is it reasonable to expect their products to be?

jefrin adams said...

Best post thanks for sharing
best salesforce training institute chennai

Infocampus said...

Nice post with informative content.

selenium training in Bangalore || web development training in Bangalore

priya said...

This is quite educational arrange. It has famous breeding about what I rarity to vouch. Colossal proverb. This trumpet is a famous tone to nab to troths. Congratulations on a career well achieved. This arrange is synchronous s informative impolite festivity to pity. I appreciated what you ok extremely here.
Data Science Course in Indira nagar
Data Science Course in btm layout
Python course in Kalyan nagar
Data Science course in Indira nagar
Data Science Course in Marathahalli
Data Science Course in BTM Layout
Data science course in bangalore

Unknown said...

Great Post Thanks for sharing


DevOps Training in Chennai

Cloud Computing Training in Chennai

IT Software Training in Chennai

Rithi Rawat said...

Very nice post here thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.

Machine learning training in chennai
machine learning course fees in chennai
machine learning training center in chennai
machine learning with python course in chennai

Rithi Rawat said...

Outstanding blog thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.

Machine learning training in chennai
machine learning course fees in chennai
machine learning training center in chennai
machine learning with python course in chennai

Robotic Process Automation Tutorial said...

Really useful information. Thank you so much for sharing.It will help everyone.Keep Post. RPA training in chennai | RPA Uipath training in chennai | RPA training in Chennai with placement

Unknown said...

Thank you for excellent article.

Please refer below if you are looking for best project center in coimbatore

final year projects in coimbatore
Spoken English Training in coimbatore
final year projects for CSE in coimbatore
final year projects for IT in coimbatore
final year projects for ECE in coimbatore
final year projects for EEE in coimbatore
final year projects for Mechanical in coimbatore
final year projects for Instrumentation in coimbatore


Durai Raj said...

The best Blog!!! Thanks for sharing with us... Waiting for your new updates.
Oracle Training in Coimbatore
best oracle training institute in Coimbatore
Best Java Training Institutes in Bangalore
Hadoop Training in Bangalore
Data Science Courses in Bangalore
CCNA Course in Madurai
Digital Marketing Training in Coimbatore
Digital Marketing Course in Coimbatore

Belago said...

Я бы рекомендовал использовать профиль для светодиодных лент это нужно для того что бы лента дольше служила.

fayaz D said...

t’s hard to come by well-informed people about this subject, however, you seem like you know what you’re talking about! Thanks
Python Training in Bangalore
Python Training in Marathahalli
Best Python Training Institutes in Bangalore
Python Training Center in Bangalore BTM
python class in Bangalore marathahalli
python courses in Bangalore

MyTraining said...

Resources like the one you mentioned here will be very useful to me ! I will post to this page on my blog. I am sure my visitors will find that very useful

href="https://www.mytrainingbangalore.com/seo-training-in-bangalore/" rel="nofollow"SEO Training in Bangalore
href="https://www.mytrainingbangalore.com/" rel="nofollow"Best Training in Bangalore

service care said...

thanks for the article.it ll b useful for the learners. nice to read. keep posting more.

oppo service center in Chennai

Praylin S said...

Thanks for taking your valuable time to share this awesome article with us. This is really informative. Looking forward to learn more from you.
IoT Training in Chennai
IoT Courses in Chennai
Oracle Training in Chennai
Oracle Training institute in chennai
JavaScript Training in Chennai
JavaScript Course in Chennai
IoT Training in Adyar
IoT Training in Tambaram

amsa leka said...

Thanks for such a great article here. I was searching for something like this for quite a long time and at last, I’ve found it on your blog. It was definitely interesting for me to read about their market situation nowadays.angularjs best training center in chennai | angularjs training in velachery | angularjs training in chennai | best angularjs training institute in chennai

Unknown said...

Thanks for the update the great article here.
java software development company
hire java developer
Java web development company
Java development companies
Java development companies

Unknown said...

Thanks for sharing useful information article to us keep sharing this info,
Mobile App Development Company in chennai
mobile app development chennai
Mobile application development company in chennai
Mobile application development chennai
Mobile apps development companies in chennai

jacklin said...

Thanks for the sharing the security software information keep update the security info,
ppc services india
ppc management services
ppc services in india
ppc advertising services
ppc marketing services
pay per click advertising services

unknown said...

The Angular Elements will help to project the content by using the web standards for the custom elements.

angularjs training in chennai

Ada Smith said...

I decided to start my own business, but for the start I needed some capital that I didn’t have and I decided to risk what it was and play in the casino since it wasn’t in the city online. Of all the sites, only this one with a lot of positive commatories. smart roulette The first two weeks I had no luck, I tried everything and the slots and gaming atoms, but after that I was in pleasant surprise and you know that now I’m doing my most favorite thing

VRITPROFESSIONALS said...

Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.
Thanks & Regards,
VRIT Professionals,
No.1 Leading Web Designing Training Institute In Chennai.

And also those who are looking for
Web Designing Training Institute in Chennai
SEO Training Institute in Chennai
Photoshop Training Institute in Chennai
PHP & Mysql Training Institute in Chennai
Android Training Institute in Chennai