A report from industry standard benchmarking company ISCA Labs reveals that of these, security issues range from: “vulnerabilities that compromise the confidentiality or integrity of the system to seemingly random behaviour that affects availability.”

The company gives one example of a web application firewall (WAF) that included “numerous vulnerabilities within its web administration interface.”

“Cross-site scripting, SQL injection, and buffer overflow vulnerabilities and unencrypted admin interfaces are some of the common security issues identified within the Custom Testing engagements, Web Application Firewalls, and Network Firewalls programs”, continued the report.

The authors also bemoaned the increasing re-use of standard code bases for security tools, pointing out that “Many of the security troubles for SSL VPNs can be traced to the OpenSSL toolkit (which roughly 80 per cent of them use). By comparison, IPSec VPNs tested have significantly fewer security violations.” This in turn makes fixing these issues difficult without a major new code release.

Chris Wysopal, CTO Veracode said: “It’s ironic that security tools often bring their own crop of vulnerabilities to a system. Of course, many of the coding techniques used are not much different to the rest of the industry. However, software design is a relatively new discipline in engineering terms, so it’s not surprising that there is still work to do on ratings and certifications.”

ICSA Labs formed in 1989 with the aim of providing independent, third-party assurance for computer and network security products. Click here for the full report

• Read the full report from ISCA Labs