I\u2019m no world-class hacker\/penetration tester, but I\u2019ve been able to break into any organization I\u2019ve been (legally) hired to do so in an hour or less, except for one place that took me three hours. That was on my second engagement with the customer after it had implemented many of the protections I had recommended during my first visit.Hackers and pen testers typically have areas of specialization. Some hack point-of-sale terminals, some hack web servers, some hack databases, and some specialize in social engineering. My own area has been focusing on computer security defense appliances\u2014followed by hijacking elevated service\/daemon accounts once I was in. This combination allowed me to break into about 75 percent of my targets. Sure, there were many other weaknesses, but this one was so prevalent I always went after it first.Why I targeted security appliancesI got the idea to hack security appliances from doing InfoWorld reviews. I loved testing these appliances for vulnerabilities. In all my years of testing, only one, a McAfee eOrchestrator, arrived without one or more well-known vulnerabilities.I found this pretty shocking. Even when I told vendors about the vulnerabilities I discovered, they rarely fixed them in a timely manner.Why are appliances so insecure, especially compared to the software we normally consider more vulnerable? Because most programmers are not trained in secure coding techniques, which is very strange to think about when the programmer is being paid to write code for a security appliance.The typical security appliance programmer is no different than any other programmer. Yes, the programmer may know how to add encryption or certificate handling, but not necessarily how to improve the security of the appliance. Like most programmers, they probably haven\u2019t been trained in secure development lifecycle methods. They don\u2019t pen test their own code. If the software runs, great.Appliance vulnerabilities get announced all the time. Security researcher Scott Helme has claimed that Nomx, an email security appliance, has numerous vulnerabilities and contains unpatched software. Though Nomx denies the report, it points out a larger issue.\u00a0Bob Noel, director of strategic relationships and marketing for the security firm Plixer, explains:The vulnerabilities found in this Nomx device is a further example of why companies themselves must take responsibility for securing and monitoring the technology they purchase and implement. Companies should no longer implicitly trust the safety of products as they arrive directly from the manufacturer. \u00a0It is important for all companies to deploy monitoring solutions like network traffic analytics which inspect traffic to and from every device and apply behavior analysis to uncover anomalous device behavior. \u00a0 \u00a0\u00a0Slow testing cyclesPart of the problem is that appliances have longer testing cycles. The code gets \u201clocked down\u201d longer for testing and sales purposes. If the appliance is going to be sold to a government or medical customer, the lockdown period can be a year or more as the appliance goes through a certification or accreditation process. I\u2019ve frequently seen appliances running operating system versions that are five to 10 years old, many no longer supported by the vendor. This means well-known, easy-to-exploit bugs are often in the appliance code software for years.Firmware is simply harder-to-patch softwareFor reasons unknown to me, buyers and sellers of appliances that run on firmware seem to think firmware is harder to hack than regular software. In fact, the opposite is true. Firmware runs code that can only be formally updated by writing to the firmware. That takes special software with the appropriate access. A hacker can exploit firmware code by modifying the runtime bytes in memory. Although the latter method will be erased when the appliance is rebooted, appliances are rebooted far less than regular computers, so exploits can remain active for months to years.No customer patches allowedWhen I contact appliance vendors about newfound vulnerabilities, they\u2019re surprised to hear that an exploit that\u2019s been around for years has also been in their appliance for years. But when I ask if I can patch the vulnerable software component, I\u2019m usually told that doing so without using the vendor\u2019s official patch will void the warranty of the appliance.Slow patching cyclesThe most popular operating systems and software programs are frequently patched on a daily to monthly basis. With appliances, you\u2019re lucky to see a patch once a quarter or, in many cases, once a year. Remember, most appliances run operating systems that contain the same bugs that are patched once a month by the OS vendor. You can understand why appliance hackers love this.What can you do?Appliance security is improving, albeit slowly, but most security appliances still have one or more vulnerabilities.Here\u2019s what to do: Before buying a new appliance, ask the vendor what it does to minimize security issues. Have the programmers received security development lifecycle training? Do they do code analysis or pen testing? How often do patches come out, and what do they cover?Find out if the vendor patches bugs in a timely manner. Can you patch your appliance if you discover a bug and the vendor doesn\u2019t fix it? Everything can be hacked. Everything has bugs. But when a bug gets known, how long does it take for the vendor to respond? Does the vendor proactively warn you when bugs become known? If so, how? Find out if you can pen test the appliance without violating the warranty.The intent is to determine if your appliance vendor is even aware of the problem of insecure code. If so, do they take it seriously?Think defensivelyIf an appliance, with a configuration that\u2019s not completely under your control, gets owned, how can you prevent that asset from being used against you? Because these devices are supposed to be your bastion defenses, treat them as special.Don\u2019t reuse credentials on the device with other devices or software. For example, your appliance admin credential shouldn\u2019t have the same password as your Active Directory domain administrator. If the device doesn\u2019t need to be connected to your Active Directory forest or *nix realm, don\u2019t connect it. Make it standalone. Limit its ability to connect to the rest of the network and enterprise. That way, if it\u2019s compromised, the attacker will have a hard time using access credentials to reach further into the environment.Most of all, realize that your trusted security components can be used against you. Treat every computer security software program, appliance, and device as if it were as insecure as regular software or more so. That\u2019s usually the hard truth.