Test it (for security holes) before you buy it

Seems like blackbox testing tools (fuzzers) gain more ground, but not in the way I would expect.

I expected software/networking vendors to be buying commercial fuzzers to check their products for security holes (or using open source fuzzing tools as part of the development cycle). Surprisingly, most companies I know that have implemented fuzzers are not the ones writing code, but those who rely on other people’s products – telcos, cell phone providers, financial institutions, and equipment suppliers.

Apparently, some of these companies check 3rd party products for security holes before they install them in their network.

While this ‘certification’ attitude is expected from financial institutions, it’s pleasantly surprising to see it from equipment suppliers, for example. One large telco went as far as informing several networking equipment vendors that any new version of their networking products will undergo extensive security tests before it is purchased. Since the tests are done with a commercial fuzzing product, the networking vendor has a chance to buy a similar product and do its testing already in the development lab – saving the shame of having the customer find its security holes for him.

Perhaps I shouldn’t be too surprised – there were many instances of organizations running nessus on their networking equipment and sending the vendor a ‘report card’ with all the known vulnerabilities present in the product. But doing a quick nessus run is way different from implementing security testing as part of the acceptance process. At least one company picked up on this upcoming trend – BreakingPoint‘s business model is around companies benchmarking security products before deciding which ones to buy. Will this trend tie up with testing products for security holes before deciding which ones to buy?

Another pleasant surprise is that Microsoft, who has been behind in terms of security for many years (to a point where many people, myself included, were convinced that they “just don’t get it”), has implemented a fuzzing infrastructure that is more advanced than anything else I’ve seen. A couple of networking vendors are not too far behind, but the rest of the software development world seems to be in the security testing dark ages.

This is obviously a good step for the security world – if large customers begin to pressure product vendors to develop more secure products (rather than spend marketing dollars on branding themselves as secure), product security will have a clearer ROI and the result will be more secure products.

A cynical friend of mine told me that this is yet another proof that product vendors will not take steps to increase their product’s security unless pushed to do so by external forces. I tend to think that whatever the reasons, a net result of less security holes is good for everyone.