Almost 80 per cent of security products failed to pass the first test required before certification, according to the latest report released by ICSA Labs.
The ICSA Labs Product Assurance Report said it usually takes at least two cycles of testing before its certification is awarded.
George Japak, managing director of ICSA Labs and a co-author of the report, said: "The question I ask vendors is: 'Who would you rather have find an issue in your product--ICSA Labs in a safe testing environment or a criminal in the real world?'"
The first-of-its-kind study was co-authored by the Verizon Business Data Breach Investigations Report research team.
In analysing relevant data based on tests of thousands of security products in the last 20 years, the report identified the common flaws festering in security products.
The most fundamental reason behind the failure in product tests is as basic as the inability to adequately perform as intended. The test for this is reserved in the category known as core product functionality, which according to the report, accounted for 78 per cent of initial test failures.
Consider, for instance, a case of an anti-virus product unable to prevent infection or an IPS (intrusion prevention system) product that could not filter malicious traffic.
At 58 per cent, the next most common blunder is the failure of a product to completely and accurately log data. The ICSA Labs report suggested that some vendors and enterprise users view logging as a nuisance and just a "box to check".
A hurdle for firewalls
Logging is particularly challenging for firewalls, according to the report.
This was indicated by the record that at least one logging problem had been experienced by 97 per cent of network firewall or 80 per cent of Web application firewall tested.
The third most significant reason for product failure is the finding that 44 per cent of security products had inherent security problems.
These vulnerabilities include compromising the confidentiality or integrity of the system and random behaviour that affects product availability.
The report also highlighted the rigorous scrutiny in ICSA labs testing and certification, stating that only four per cent of the products submitted got the certification during the first testing cycle.
While the report might appear discouraging for first-timers, the reward awaits the persevering security product developers.
ICSA Labs said as high as 82 per cent of resubmitted products for the testing received the stamp of approval.
"When a product fails, we encourage vendors to view this as an opportunity to improve the product before it goes to market," said Japak.
However, products are required to undergo continuous testing to maintain the certification.
An independent division of Verizon Business, ICSA Labs offers vendor-neutral testing and certification of security products in the global market.