Secure Security Appliances? – Making Assumptions can be Risky.

Posted on April 7th, 2008 by Drazen Drazic

I wonder how many organisations question their “security appliance” vendors about the actual security of the security appliances themselves. ie; what testing is done, how often, patch release testing, security in their own SDLC etc. From experience, we see most organisations make the assumption that since this is a “security” appliance, it must be secure.

Making assumptions that these systems are secure and thereby not including them in security tests and reviews as part of the organisation’s security assurance program can potentially open up and organisation to security compromises.

We work with security appliance vendors and do testing for them on their systems. These guys we trust because we know they care and are committed to providing secure systems to their clients.

Are they all doing that? We know that these systems are just as open to vulnerabilities as anything else in the corporate IT environment. Don’t assume your security appliance is secure. Ask questions and include these systems in your testing programs.

8 Responses to “Secure Security Appliances? – Making Assumptions can be Risky.”

  1. Declan Ingram Says:
    April 8th, 2008 at 3:49 pm

    I saw an interesting one a few years ago with an IPS appliance.

    It was vulnerable to an remote SSH vulnerability – but the vendor had no mechanism in place to patch it, and would not support the device if we got in and patched it our selves..

    interesting times..

  2. Big Galoot Says:
    April 8th, 2008 at 4:04 pm

    Check out the blog for more examples…

  3. Big Galoot Says:
    April 9th, 2008 at 9:40 am

    re my last comments, I meant to say,
    “Check the b or b forum for more examples.”

    ie; Checkpoint firewall, HP, etc.

  4. dirty whitehat Says:
    April 9th, 2008 at 10:37 am

    INTERNET WARZ

  5. Beast Or Buddha » Blog Archive » Securus Global Update Says:
    September 5th, 2008 at 12:44 pm

    [...] The security appliance/product evaluation testing which I alluded to here as becoming a core part of our business has been taking off quite well. Benefit for the vendors I [...]

  6. D3 Says:
    September 5th, 2008 at 6:44 pm

    Was it the F5 briefing, pitching some other vendor in the old gaol in 2004 Syd, when I asked them about pointing their devices at themselves or some such tomfoolery? DD / PB were there… D giggles.

  7. Drazen Drazic Says:
    September 7th, 2008 at 5:49 pm

    :-) Wonder what they would see at all?

  8. Beast Or Buddha » Blog Archive » Workarounds, accepted mediocrity and questionable future benefits/improvements…. Says:
    March 22nd, 2009 at 7:08 pm

    [...] creates more risks – not less, as they [the client] would have expected by deploying it. Add the following into the equation and there’s even more to think about. This part is [...]

Leave a Reply