The results of our soon-to-be-published Advanced Cloud Firewall (ACFW) test are hard to ignore.
Some vendors are failing badly at the basics like SQL injection, command injection, Server-Side Request Forgery (SSRF) and API abuse with block percentages under 20%, sometimes way under.
Those are just the application-based threats, never mind the vulnerability-based attacks.
While it’s tempting to focus on the latest headline-grabbing agentic AI threat protection, if a cloud firewall fails at the basics – for which there are well-documented weaponizations – it should give us pause.
Attackers are lazy, after all, and will attack using tried-and-true techniques because they still work.
Not all vendors did this poorly, but some of the ones left in charge of protecting all our data in the cloud for the services we trust have serious gaps.
Some possible reasons why? While we rarely get to look behind the curtain, there are certain things we can infer. When looking for clues it’s sometimes easier to study those vendors who do well for insight into what IS working. Here are a few trends we’ve noticed in top performing vendors.
- Secure By Design – While not all vendors’ processes may be the same, we’ve noticed that those who implement a formal “Secure By Design” methodology tend to fare better in testing, partially because it creates a secure development environment and the related culture that it fosters. The principle of: Embrace Radical Transparency and Accountability embodies a certain kind of courage to face and fix problems before the product ships, and the tests speak for themselves.
- Solid Integration for new acquisitions – While an exact integration path is not always obvious before a technology company gets purchased and integrated, successful companies have a clear plan that makes the tech addition seamless. We’ve seen an uptick in companies buying AI security technology recently, for example, and the effort it’s taken to integrate it with the rest of the stack is non-trivial.
- Full feedback loops – Some companies sell a product and they’re done. But others create a feedback loop – in various forms – where they have visibility and take responsibility for security misses as a way to improve their product. This “face the music” approach can be a negative or a positive, depending on how each company treats the feedback. But if they integrate lessons learned from the exercise, their product suite is on the road to getting better.
Speaking of which, we hope independent testing can help form a sort of feedback loop to help produce the same results – a better, safer product suite that can help protect customers, who are the ones protecting all of our cloud data. That feedback loop will help us all. Want the full report when it drops? Reach out. We’d be happy to share it, or come meet up with us at RSA.
