Orca Security scanned more than 2,200 virtual appliance images – the same ones that your company probably uses every day. The images represented over 500 vendors. They were found on the marketplaces at Amazon, Microsoft, Google and others. They included both open source and commercial (licensed) software.
Orca created a scoring system that ran from 0 to 100. Companies (or images, actually) lost points for:
* Unsupported or no longer supported operating systems
* Contained 1 or more high profile vulnerabilities (from a list of 17 that they created)
* Contained 1 or more vulnerabilities with a CVSS score of 9 of higher (critical)
* Contained 1 or more vulnerabilities with a CVSS score between 7 and 9
Grades ran from A+ (really cool) to F (not so cool). Just like school.
They got an instant F if they:
– Used an unsupported operating system
– Had 4 of the 16 high-profile vulnerabilities
– Had 20 or more flaws with a CVSS score of 9 or higher
– Had 100 or more flaws with a CVSS score between 7 and 9
– or had more than 400 unique vulnerabilities
That seems pretty freaking generous to me. I’d cut those thresholds way down. 19 flaws with a CVSS score of 9 or higher is okay? I don’t think so.
Still, that was the threshold.
So what was the result?
15% graded an F
16% graded a D
25% graded a C
12% received a B
and 24% got an A; 8% got an A+
That means that less than half got above a C and 30% got a D or F. Less than 10% got a gold star.
In total, Orca’s scanning identified 401,571 vulnerabilities across 2,218 appliances.
Almost half had not been updated by the vendor in the last year and only 2.8% had been updated in the last month.
This test includes both security and non-security product vendors, but security vendors only scored a low B, on average.
There are more details in the article, but the bottom line, is that you really can’t trust vendors when it comes to security. That is not great news. Some hardened security appliances did score well, but again, how do you know when you install an image that you got from the vendors store?
First thought is to ask the vendor. Second thought is that you have to scan the virtual appliance before you connect it to the Internet.
Great. Something else for my to-do list. Credit: CSO Online