From Living On An Exponential Curve Of Breaches:
The knowledge that a major networking gear manufacturerâs product has been compromised will raise the question: just how does one trust that products one has purchased are not compromised by a government or sophisticated hacker? Are vendors prepared to submit their products to 3rd party testing labs for assurance purposes? At the very least that assurance should come from complete code reviews and broad spectrum fuzzing. This is an expensive proposition, one that will have to be incorporated in every vendorâs release schedules. At the end of the day will that level of assurance be enough?
Of course, weâre talking about the recent Juniper and Fortinet vulnerabilities that allow unauthorized administration access, and of course made the news.
I donât know that youâll get any security company to submit their source code to an external third party code review, but third party validation and assurance testing seems perfectly reasonable. In fact, vendors already do this with NSS Labs and Common Criteria testing.
Meanwhile, you have vendors with restrictive EULAs that forbid this kind of activity. Which, given that this particular vendor spends more than half of their revenue on marketing, makes you wonder if theyâre in the security business or the marketing business.