Orca Security 2020 State of Virtual Appliance Security

To help move the cloud security industry forward and reduce risk for customers, Orca Security conducted a wide-reaching research and testing project to benchmark the current state of virtual appliance security.

Virtual appliances are cheap and easy for software vendors to distribute. Fully preconfigured with all requisite software, they’re often delivered ready for customers to deploy to public and private cloud environments.

Customers assume that software vendors’ virtual appliances are free from security risks such as known vulnerabilities and unsupported operating systems. The reality is a spectrum, from good to bad, with many virtual appliances being distributed with known and fixable security flaws.

Orca Security’s research methodology

Between April 20th – May 20th, 2020, Orca Security’s patent-pending SideScanning™ technology scanned over 2,000 virtual appliance images from 540 vendors for known vulnerabilities and other risks to provide an objective assessment score and ranking.

All are available in public marketplaces. Each tested product was given a security score—ranging from 0 for the worst to 100 for the best—and assigned a grade from A+ (exemplary) down to F (failure).

If a virtual appliance had no fixable vulnerabilities, and its operating system was currently maintained and supported, it would achieve a maximum score of 100. Of the 2,218 virtual appliances tested, only 4.6% (103) received this score.

A virtual appliance would receive an overall score of 0 if it had:

• an out-of-date (unsupported) operating system
• any four of 16 critical vulnerabilities as defined by Orca Security
• 20 or more vulnerabilities having a CVSS score of 9 or greater
• 100 or more vulnerabilities having a CVSS score between 7 – 9
• 400 or more unique vulnerabilities

The lowest recorded score was 6.

It would be impractical to report the results for all 2,218 virtual appliances tested within this document.

Download the report to find more.