Now, more and more companies are releasing products as appliances, both physical and virtual, that you just plug into your environment and begin using. This is great from a deployment and management standpoint and is much easier for the vendor to support; however, any unapproved change can cause you to lose support from the vendor. Surprisingly, multiple appliances from the same vendors will often also have dissimilar configurations and vulnerabilities. These days, each product is made by a different group within the company, and little to no effort is made to standardize these products.
One product I recently started evaluating consists of eighteen virtual appliances. All these appliances have the same operating system, but every one of them is at different patch levels, different revisions, and have different services (unused) enabled. This makes the security process a nightmare – forcing us to:
• Evaluate each appliance and submit a report on each one to security
• Determine exactly what they absolutely require us to fix
• Submit that list to the vendors for permission or assistance to fix
• Wait for their engineers to evaluate the fix
• Fix what is allowed by the vendor (to keep support)
• Submit back to our local security for approval
I would expect this lack of awareness from a startup or newer vendor who may have not yet had to deal with secure environments; most corporate enterprises are more forgiving when it comes to internal security. But I am seeing this from large longtime vendors who should have security awareness in mind when these products were designed and built.
http://searchsecurity.techtarget.com/tip/Information-security-policy-management-for-emerging-technologies
Many of the new technologies, and current technologies that we have recently upgraded, are now requiring Internet access to download patches or updates and report health back to the vendor. This has been true for a long time now, but there was always the off-line option that an admin could use to download the patches and updates for non-Internet connected networks. Now, I no longer have these options (at least not in an easy way). This forces me to backdoor the systems to maintain current operations, possibly introducing more security risks, or at least risks for application corruption.
I have said before, and I still strongly believe, that it is much easier to build with security in mind than to try to secure a product that was never designed from the standpoint of security. With all the reports of data thefts in the news, what company is not concerned with security? Vendors need to establish security as a key cornerstone of any new product to remain relevant and competitive in today’s environment.
https://www.gtisc.gatech.edu/pdf/Threats_Report_2014.pdf