I wonder how many organisations question their “security appliance” vendors about the actual security of the security appliances themselves. ie; what testing is done, how often, patch release testing, security in their own SDLC etc. From experience, we see most organisations make the assumption that since this is a “security” appliance, it must be secure.
Making assumptions that these systems are secure and thereby not including them in security tests and reviews as part of the organisation’s security assurance program can potentially open up and organisation to security compromises.
We work with security appliance vendors and do testing for them on their systems. These guys we trust because we know they care and are committed to providing secure systems to their clients.
Are they all doing that? We know that these systems are just as open to vulnerabilities as anything else in the corporate IT environment. Don’t assume your security appliance is secure. Ask questions and include these systems in your testing programs.
I saw an interesting one a few years ago with an IPS appliance.
It was vulnerable to an remote SSH vulnerability – but the vendor had no mechanism in place to patch it, and would not support the device if we got in and patched it our selves..
interesting times..
Check out the blog for more examples…
re my last comments, I meant to say,
“Check the b or b forum for more examples.”
ie; Checkpoint firewall, HP, etc.
INTERNET WARZ
[...] The security appliance/product evaluation testing which I alluded to here as becoming a core part of our business has been taking off quite well. Benefit for the vendors I [...]
Was it the F5 briefing, pitching some other vendor in the old gaol in 2004 Syd, when I asked them about pointing their devices at themselves or some such tomfoolery? DD / PB were there… D giggles.
[...] creates more risks – not less, as they [the client] would have expected by deploying it. Add the following into the equation and there’s even more to think about. This part is [...]