Over three quarters of security products fail an initial test and do not adequately perform
A report by ICSA Labs has claimed that nearly 80 per cent of security products fail to perform as intended.
The ‘ICSA Labs Product Assurance Report', which is co-authored by the Verizon Business data breach investigations report research team, revealed that the main reason for product failures is because it does not adequately perform as intended. It claimed that the products fail to perform as intended when first tested and generally require two or more cycles of testing before achieving certification.
Across seven product categories, core product functionality accounted for 78 per cent of initial test failures, such as an anti-virus product failing to prevent infection or an intrusion prevention system product failing to filter malicious traffic.
The failure of a product to completely and accurately log data was the second most common reason security products do not perform as intended. Incomplete or inaccurate logging of who did what and when accounted for 58 per cent of initial failures.
The third most significant reason for product failure was that 44 per cent of security products had inherent security problems, including vulnerabilities that compromise the confidentiality or integrity of the system and random behaviour that affects product availability.
The report stated: “Unfortunately, the market's solutions to all this newness are not always as legitimate as the need. Product quality is often left behind in the rush to be latest and greatest. New is distorted with innovative bigger touted as better, and promises frequently exceed performance. Thus, the work of helping to distinguish fact from fiction is critical.”
It further claimed that ‘no-one ever said creating quality products was easy'. It said: “Of course, that doesn't mean they can't be substantially improved either. So, how often do violations occur during ICSA Labs certification testing? In short: almost always. It is unlikely that anyone's worldview will be radically altered if we claim that years of product testing at ICSA Labs upholds the old adage that ‘nothing is perfect'.
“It is extremely rare that a product attains certification in its first round of testing with no criteria violations. This was true in the early days of ICSA Labs and it is true today. With the exception of anti-virus, there is no substantive difference with regard to this finding across the testing programs. Some products exhibit major criteria violations, others relatively minor. Some have numerous deficiencies, others only a few.
“After the almost invariable first failure, most vendors attempt to make corrections and resubmit products for further testing. On average, 82 per cent of products deployed eventually achieve ICSA Labs certification. While it might be obvious, it is worth making a distinction here. 82 per cent does not refer to all products in existence; it refers only to those submitted to ICSA Labs for testing. For some programs this includes nearly all products in that market, but for others it represents the minority.”
George Japak, managing director, ICSA Labs and a co-author of the report, said: “Our goal is to help vendors develop more secure products. When a product fails, we encourage vendors to view that as an opportunity to improve the product before it goes to market.
"In addition to benefiting the security industry, this open exchange of information can greatly benefit enterprises by providing them more reliable and available information to make educated product purchasing and use decisions.”