Orca Security specialists have conducted an exhaustive analysis to look for flaws in 2,000 Internet-connected virtual devices developed by 540 vendors, discovering more than 400,000 security vulnerabilities.
The analysis included virtual appliances associated with platforms such as Amazon Web Services (AWS), VMware, Google Cloud, or Microsoft Azure, although in many cases these devices are the same as those provided by vendors. According to Orca, only 8% of industry members showed they were not affected by any flaws, including firms such as Trend Micro and Pulse Secure.
Although about 25% of the devices analyzed received good ratings, 15% received an insufficient score, including technology developed by CA Technologies, Software AG, Intel, Zoho, Symantec and Cloudflare.
The companies were notified of the thousands of flaws encountered by Orca, although the security firm also notes that suppliers have already corrected about 36,000 of the 400,000 vulnerabilities reported. Companies that responded to Orca’s report included Dell EMC, Cisco, IBM, Symantec, Oracle, Kaspersky, Zoho, and Qualys.
It should be noted that not all reported flaws will be fixed, as companies argue that it is up to users to upgrade to secure versions, in addition to mentioning that not all reported vulnerabilities could be actively exploited. Some of the firms analyzed have even threatened to take legal action against Orca for misuse of its products.
One of the findings that caught the most attention of experts is that the most expensive products are not necessarily the safest, as less expensive developments scored better in terms of security: “Of course this data only serves as a guide to how suppliers support their products, the price rarely has anything to do with the security provided by a virtual device” , mentions Orca’s report.
Suppliers also received some advice from Orca, which invites companies to reduce the risks inherent in using this technology in order to improve the user experience.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.