80% of Security Products Fail to Meet ExpectationsBy Lawrence Walsh | Posted 2009-11-16 Email Print
ICSA Labs says that four out of five security products it tests fail to deliver the basic functionality of their design, and that 40 percent are inherently insecure. The report says more is needed in security product quality control, but will vendors hear the message before end users are filled with doubt.
Bulletproof security is a practical impossibility. Anyone who claims to have perfected the art of security is either a fool or a liar, since no security product or schema is foolproof or invincible. What security promises is risk mitigation; assuming that security technology works as advertised. And that’s the unspoken problem that undermines security effectiveness, says ICSA Labs.
According to ICSA, nearly 80 percent of all security products it’s tested over the last two decades have failed to work as intended during the first round of testing. On average, it takes two to four rounds of testing for a product to earn the lab’s certification and even then they have trouble maintaining their status.
ICSA—an independent division of Verizon—performs testing on many of the most common security products and platforms, including network and web application firewalls, antivirus applications, intrusion prevention systems, and VPNs (IPSec and SSL). It awards certifications based on common criteria developed in conjunction with the vendors that submit their products for testing. Certification is intended to reflect that a product meets the basic functionality and performance expectations of the community.
In celebrating its 20 years of security product testing, ICSA decided to review the testing and product performance trends of the last two decades. The results are startling - more than three out of four security products failed to deliver on their core functionality. Roughly one-half had problems logging activity for inspection and intelligence correlation. And 40 percent were inherently insecure and susceptible to compromise by hackers.