Is security software the most insecure?
by Anton Chuvakin
Related link: http://businessweek.com/technology/content/jun2005/tc20050617_1613_tc024.htm
That is an amusing report on the security of security software (!). A new report "shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products." Wow!
I think it’s a combination of issues:
Security software is supposedly transparent, in the sense that its presence is not obvious and that it doesn’t itself provide any assets like bandwidth, CPU power or customer information databases that an attacker has an interest in. This results in relatively sloppy code, at least in parts of the product not immediately exposed to the outside world (but I have no delusions about those which are).
Additionally, security tends to get treated as a checklist item because it does not contribute directly to any bottom line (except its vendor’s, of course). I suspect that it generally receives insufficient attention in environments where the revenue-generating infrastructure is high-maintenance. I also suspect that in places where the administrative staff is not particularly clueful, it simply gets deployed at management mandate which is given in order to tick off that checklist item.
Security software is the gatekeeper to the stuff an attacker has interest in. With increasing deployment, it is becoming a necessary target of initial attack in order to reach more valuable infrastructure.