Most security products flunk test on basic use: ICSA Labs

Crucial part of victory against cyber crime must be won inside accredited test labs

Almost 80 per cent of security products failed to pass the first test required before certification, according to the latest report released by ICSA Labs.

The ICSA Labs Product Assurance Report said it usually takes at least two cycles of testing before its certification is awarded.

George Japak, managing director of ICSA Labs and a co-author of the report, said: "The question I ask vendors is: 'Who would you rather have find an issue in your product--ICSA Labs in a safe testing environment or a criminal in the real world?'"

The first-of-its-kind study was co-authored by the Verizon Business Data Breach Investigations Report research team.

Most fundamental

In analysing relevant data based on tests of thousands of security products in the last 20 years, the report identified the common flaws festering in security products.

The most fundamental reason behind the failure in product tests is as basic as the inability to adequately perform as intended. The test for this is reserved in the category known as core product functionality, which according to the report, accounted for 78 per cent of initial test failures.

Consider, for instance, a case of an anti-virus product unable to prevent infection or an IPS (intrusion prevention system) product that could not filter malicious traffic.

At 58 per cent, the next most common blunder is the failure of a product to completely and accurately log data. The ICSA Labs report suggested that some vendors and enterprise users view logging as a nuisance and just a "box to check".

A hurdle for firewalls

Logging is particularly challenging for firewalls, according to the report.

This was indicated by the record that at least one logging problem had been experienced by 97 per cent of network firewall or 80 per cent of Web application firewall tested.

The third most significant reason for product failure is the finding that 44 per cent of security products had inherent security problems.

These vulnerabilities include compromising the confidentiality or integrity of the system and random behaviour that affects product availability.

Try again

The report also highlighted the rigorous scrutiny in ICSA labs testing and certification, stating that only four per cent of the products submitted got the certification during the first testing cycle.

While the report might appear discouraging for first-timers, the reward awaits the persevering security product developers.

ICSA Labs said as high as 82 per cent of resubmitted products for the testing received the stamp of approval.

"When a product fails, we encourage vendors to view this as an opportunity to improve the product before it goes to market," said Japak.

However, products are required to undergo continuous testing to maintain the certification.

An independent division of Verizon Business, ICSA Labs offers vendor-neutral testing and certification of security products in the global market.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CrucialCSAetworkICSAIPSVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by MIS Asia writer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts