FireEye shows that even security products can have security holes
A zero-day vulnerability in the popular FireEye security appliance was in the news several weeks ago, but it’s still worth discussing. That’s because some people in the security community were outraged that a security product could have an exploitable vulnerability. But why should products from security vendors be any different from other products? Because security vendors should know better? Please don’t tell me you’re going to trust your security career to that naive notion.
You shouldn’t have blind faith in anything you allow onto your network, and that includes security appliances. This was made amply clear to me a few years back, when a vendor of an email security appliance tried to convince me (as the CTO of a small company) to team up and help sell the appliance. I had our engineering team test the appliance, just as we would any product we were considering using or supporting. The team quickly found that the appliance was running an older SSH daemon that had known vulnerabilities. I notified the appliance team, and they sent back a “fixed”version that failed a second test a few days later. Needless to say, our partnership never happened.