Oct 13, 2020
Cloud adoption is a key driver for enterprise innovation. Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments. However, this report found that keeping software vendors’ virtual appliances patched and secured has fallen behind.
To help move the cloud security industry towards a safer future and reduce risks for customers, Orca Security analyzed 2,218 virtual appliance images from 540 software vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking. You can view the detailed research and scoring methodology along with the full table of results here.
The 540 software vendors included in this study came from across the globe, with the highest concentration being North America at 69.3%. However, it’s worth noting that many software vendors establish their global headquarters in the USA even though they hail from other countries.
Customers assume that software vendors’ virtual appliances are free from security risks such as known vulnerabilities and unsupported operating systems. The reality is a spectrum, from good to bad, with many virtual appliances being distributed with known and fixable security flaws.
The research found that most vendors are not updating or discontinuing their outdated or end-of-life (EOL) products.
Unsurprisingly, known vulnerabilities accumulate as products age, and as a result, security scores fall as products age.
Virtual appliances are a common way to provide IT security functions such as firewalls and network encryption. Overall, it was somewhat reassuring that security products scored four points higher than the average at 83.0.
However, failures still existed in the category, including products from A10 Networks, Symantec, FireMon, Cloudflare, and Tufin. Ironically, one vendor, Qualys (getting a grade of C)—itself a vulnerability scanning service provider—was shipping a 26-month-old appliance with a user enumeration vulnerability the vendor had discovered and reported to the industry in 2018. Qualys updated its solution following Orca’s security notice.
Under the principle of Coordinated Vulnerability Disclosure, Orca Security researchers emailed each software vendor directly, giving them the opportunity to fix their security issues.
Fortunately, the tests have started to move the cloud security industry forward. As a direct result of this research, vendors reported to Orca Security that 36,938 out of 401,571 vulnerabilities have been removed by patching or discontinuing their virtual appliances from distribution.
Average increase in scores went from a B to an A
Some of these key corrections or updates included: