Software vendors are often distributing their wares on virtual appliances with exploitable and fixable vulnerabilities, and running on outdated or unsupported operating systems:
LOS ANGELES – October 13, 2020 – The “Orca Security 2020 State of Virtual Appliance Security” report found that as evolution to the cloud is accelerated by digital transformation across industries, keeping virtual appliances patched and secured has fallen behind. The report illuminated major gaps in virtual appliance security, finding many are being distributed with known, exploitable and fixable vulnerabilities and on outdated or unsupported operating systems.
To help move the cloud security industry towards a safer future and reduce risks for customers, Orca Security analyzed 2,218 virtual appliance images from 540 software vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking.
Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments.
“Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems,” said Avi Shua, Orca Security CEO and co-founder. “The Orca Security 2020 State of Virtual Appliance Security Report shows how organizations must be vigilant to test and close any vulnerability gaps, and that the software industry still has a long way to go in protecting its customers.”
Top report findings include:
Known Vulnerabilities Run Rampant
Most software vendors are distributing virtual appliances with known vulnerabilities and exploitable and fixable security flaws.
Outdated Appliances Increase Risk
Multiple virtual appliances were at security risk from age and lack of updates. The research found that most vendors are not updating or discontinuing their outdated or end-of-life (EOL) products.
The Silver Lining
Under the principle of Coordinated Vulnerability Disclosure, Orca Security researchers emailed each vendor directly, giving them the opportunity to fix their security issues.
Fortunately, the tests have started to move the cloud security industry forward. As a direct result of this research, vendors reported to Orca Security that 36,938 out of 401,571 vulnerabilities have been removed by patching or discontinuing their virtual appliances from distribution. Some of these key corrections or updates included:
Maintaining Virtual Appliances
For customers and software vendors concerned about the issues illuminated in the report, there are corrective and preventive actions that can be taken.
Software suppliers should ensure their virtual appliances are well maintained and that new patches are provided as vulnerabilities are identified. When vulnerabilities are discovered, the product should be patched or discontinued for use. Meanwhile, vulnerability management tools can also discover virtual appliances and scan them for known issues. Finally, companies should also use these tools to scan all virtual appliances for vulnerabilities before use as supplied by any software vendor.
Report Resources Now Available:
About Orca Security
Orca Security is the cloud security innovation leader, providing instant-on, workload-level security and visibility for AWS, Azure, and GCP without the gaps in coverage and operational costs of agents.
Delivered as SaaS, Orca Security’s patent-pending SideScanning™ technology reads your cloud configuration and workloads’ runtime block storage out-of-band, detecting vulnerabilities, malware, misconfigurations, lateral movement risk, weak and leaked passwords, and unsecured PII.
Orca Security deploys in minutes – not months – because no opcode runs within your cloud environment. With Orca, there are no overlooked assets, no DevOps headaches, and no performance hits on live environments.
And unlike legacy tools that operate in silos, Orca treats your cloud as an interconnected web of assets, prioritizing risk based on environmental context. This does away with thousands of meaningless security alerts to provide just the critical few that matter, along with their precise path to remediation.
Connect your first cloud account in minutes and see for yourself. Visit orca.security.
About the Orca Security 2020 State of Virtual Appliance Security Report
The Orca Security 2020 State of Virtual Appliance Security Report was a wide-reaching research and testing project to benchmark the current state of virtual appliance security. Between April 20 and May 20, 2020, Orca Security scanned 2,218 virtual appliance images from 540 software vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking.