How responsible are your software vendors?



Cloud adoption is a key driver for enterprise innovation. Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments. However, this report found that keeping software vendors’ virtual appliances patched and secured has fallen behind.

About the Orca Security 2020 State of Virtual Appliance Security Report

To help move the cloud security industry towards a safer future and reduce risks for customers, Orca Security analyzed 2,218 virtual appliance images from 540 software vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking. You can view the detailed research and scoring methodology along with the full table of results here.

  • 2,218 virtual appliance images
  • from 540 software vendors
  • finding  401,571 vulnerabilities

The 540 software vendors included in this study came from across the globe, with the highest concentration being North America at 69.3%. However, it’s worth noting that many software vendors establish their global headquarters in the USA even though they hail from other countries.

Software vendors are often distributing their wares on virtual appliances with exploitable and fixable vulnerabilities

Customers assume that software vendors’ virtual appliances are free from security risks such as known vulnerabilities and unsupported operating systems. The reality is a spectrum, from good to bad, with many virtual appliances being distributed with known and fixable security flaws.

Outdated virtual appliances increase risk

The research found that most vendors are not updating or discontinuing their outdated or end-of-life (EOL) products.

Unsurprisingly, known vulnerabilities accumulate as products age, and as a result, security scores fall as products age.

IT Security vendors should know better

Virtual appliances are a common way to provide IT security functions such as firewalls and network encryption. Overall, it was somewhat reassuring that security products scored four points higher than the average at 83.0.

However, failures still existed in the category, including products from A10 Networks, Symantec, FireMon, Cloudflare, and Tufin. Ironically, one vendor, Qualys (getting a grade of C)—itself a vulnerability scanning service provider—was shipping a 26-month-old appliance with a user enumeration vulnerability the vendor had discovered and reported to the industry in 2018. Qualys updated its solution following Orca’s security notice.

Toward a safer future

Under the principle of Coordinated Vulnerability Disclosure, Orca Security researchers emailed each software vendor directly, giving them the opportunity to fix their security issues.

Fortunately, the tests have started to move the cloud security industry forward. As a direct result of this research, vendors reported to Orca Security that 36,938 out of 401,571 vulnerabilities have been removed by patching or discontinuing their virtual appliances from distribution.

  • 287 products have been updated
  • 53 products removed from distribution
  • 36,938 vulnerabilities have been addressed

Average increase in scores went from a B to an A

Some of these key corrections or updates included:

  • Dell EMC issued a critical security advisory for its CloudBoost Virtual Edition
  • Cisco published fixes to 15 security issues found in one of its virtual appliances scanned in the research
  • IBM updated or removed three of its virtual appliances within a week
  • Symantec removed three poorly scoring products
  • Splunk, Oracle, IBM, Kaspersky Labs and Cloudflare also removed products
  • ZOHO Corporation (ManageEngine) updated half of its most vulnerable products