The Software Industry Delivers Appliances With Known Vulnerabilities

A new study by Orca Security called, 2020 State of Virtual Appliance Security Report, found that as evolution to the cloud is accelerated by digital transformation across industries, keeping virtual appliances patched and secured has fallen behind.  
 
The Report illuminates major gaps in virtual appliance security, finding many are being distributed with known, exploitable and fixable vulnerabilities and on outdated or unsupported operating systems.
 
Software vendors are often distributing their wares on virtual appliances with exploitable and fixable vulnerabilities, and running on outdated or unsupported operating systems.
 
Orca Research Report Key Points:
 
● The Orca Security research study found 401,571 total vulnerabilities in scanning 2,218 virtual appliance images from 540 software vendors.
 
● Less than 8 percent of virtual appliances were free of known vulnerabilities. Meanwhile, less than 5 percent were both free of vulnerabilities and running on a maintained operating system.
 
● Since alerting vendors of these risks, 287 products have been updated and 53 removed from distribution, leading to 36,938 discovered vulnerabilities being addressed.
 
To help move the cloud security industry towards a safer future and reduce risks for customers, Orca Security analysed 2,218 virtual appliance images from 540 software vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking.
 
Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments. “Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems,” said Avi Shua, Orca Security CEO and co-founder. 
 
Known Vulnerabilities Run Rampant
 
Most software vendors are distributing virtual appliances with known vulnerabilities and exploitable and fixable security flaws.
 
● The research found that less than 8 percent of virtual appliances (177) were free of known vulnerabilities. In total, 401,571 vulnerabilities were discovered across the 2,218 virtual appliances from 540 software vendors.
 
● For this research, Orca Security identified 17 critical vulnerabilities deemed to have serious implications if found unaddressed in a virtual appliance. Some of these well-known and easily exploitable vulnerabilities included: EternalBlue, DejaBlue, BlueKeep, DirtyCOW, and Heartbleed.
 
● Meanwhile, 15 percent of virtual appliances received an F rating, deemed to have failed the research test. 
Outdated Appliances Increase Risks. Multiple virtual appliances were at security risk from age and lack of updates. The research found that most vendors are not updating or discontinuing their outdated or end-of-life (EOL) products.
 
● The research found that only 14 percent (312) of the virtual appliance images had been updated within the last three months. 
 
● Meanwhile, 47 percent (1,049) had not been updated within the last year; 5 percent (110) had been neglected for at least three years, and 11 percent (243) were running on out of date or EOL operating systems.
 
Positive Results
 
As a direct result of this research, vendors reported to Orca Security that 36,259 out of 401,571 vulnerabilities have been removed by patching or discontinuing their virtual appliances from distribution. 
 
Maintaining Virtual Appliances
 
For customers and software vendors concerned about the issues illuminated in the report, there are corrective and preventive actions that can be taken. Software suppliers should ensure their virtual appliances are well maintained and that new patches are provided as vulnerabilities are identified.
 
When vulnerabilities are discovered, the product should be patched or discontinued for use. 
 
Meanwhile, vulnerability management tools can also discover virtual appliances and scan them for known issues. Finally, companies should also use these tools to scan all virtual appliances for vulnerabilities before use as supplied by any software vendor.
 
Orca Security:
 
You Might Also Read:
 
British Spies Find Big Software Problems With Huawei:
« Bangladeshi Banks Are Not Properly Cyber Secure
EU Court Rules Out Mass Online Surveillance »

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 5,000+ specialist service providers.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ISO Quality Services Ltd

ISO Quality Services Ltd

ISO Quality Services is an independent organisation that specialises in the implementation, certification and continued auditing of ISO and BS EN Management Standards including ISO 27001..

SecureWorks

SecureWorks

SecureWorks provides intelligence-driven security solutions for organizations to prevent, detect, rapidly respond and predict cyberattacks.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

ENEA Qosmos Division

ENEA Qosmos Division

Qosmos, a division of Enea, leads the market for IP traffic classification and network intelligence technology used in physical, SDN and NFV architectures.

Crayonic

Crayonic

Crayonic digital identity technologies protect and guarantee the identity of people and things.

Absio

Absio

Absio provides the technology you need to build data security directly into your software by default, and the design and development services you need to make it happen.

Automox

Automox

Remediate vulnerabilities 30X faster than the industry norm – and dramatically reduce your risk with simple, fast, and cloud-native endpoint hardening from Automox.

ThreatReady Resources

ThreatReady Resources

ThreatReady reduces an organization’s risk by delivering cyber security awareness training based on the latest, state-of-the-art learning science to effectively drive long-term cyber-safe behavior.

Research Institute in Secure Hardware and Embedded Systems (RISE)

Research Institute in Secure Hardware and Embedded Systems (RISE)

The UK Research Institute in Secure Hardware and Embedded Systems (RISE) seeks to identify and address key issues that underpin our understanding of Hardware Security.