IT analysis firm Yankee Group is warning that an increasing number of vulnerabilities in security software from major vendors may be putting enterprises and users at risk.
The company called for security vendors to make their computer protection products more secure themselves before applications such as antivirus, firewalls and anti-spyware become “preferred conduits for professionally designed malware,” according to a statement from Yankee Group senior analyst Andrew Jaquith, who researched and reported on the trend.
Jaquith told TechNewsWorld although there have not been an overwhelming number of exploits that take advantage of security software weaknesses — the exception being the mass exploit Witty worm of 2004 — the increase in vulnerabilities could lead to elevated likelihood that security software will be targeted. The situation is similar to the rise in the number of attacks that followed an upswing in Microsoft vulnerabilities in recent years.
Yankee Group indicated the last year has brought a surge in security software vulnerabilities, which at the current rate of discovery would equate to a 50 percent increase in the security software weaknesses from 2004.
“There are more vulnerabilities for security software at an increasing rate that surpasses [the rate for] Microsoft software,” Jaquith said.
Although the holes are not something for which researchers see a lot of exploits, he said, the potential vector is a perilous one, as corporate and consumer users depend on the software to protect their systems and data.
“What we’ve seen is that vulnerabilities is the leading indicator of exploits that come later,” he said. “The folks doing exploits have found their calling,” Jaquith said more generally of attackers. “There is now a profit motive.”
Jaquith, who referred to money-making schemes that compromise computers via tactics such as spam or denial of service/extortion efforts, said there are simple steps that security software vendors can take to improve their products’ defenses.
“There’s some simple things any vendor can do,” he said. “The increase of vulnerabilities is basically a quality problem.”
Yankee Group recommended quality assurance and penetration testing measures such as reviewing security designs early and often; integrating security tests into regular software builds; reviewing code base; and truly simulating the tactics of an attacker.
For enterprises, Yankee advised companies to ready their patch procedures, ask questions about software quality assurance and security measures, and diversify security software providers.
Responding to Holes, Customers
Just as Microsoft has received credit for improving its security response, iDefense Labs Director and leader of the Vulnerability Aggregation Team Michael Sutton told TechNewsWorld that security software vendors have improved their approach and response to securing their own products.
“I think vendors are starting to pay close attention to the serious vulnerabilities, like buffer overflows,” Sutton said. “We are seeing a trend in more vulnerabilities [for security software], but we are starting to see them respond to the serious ones.”
Sutton said while he had difficulty relaying the importance of security vulnerabilities to security software companies two years ago, many of those companies now have people or departments dedicated to responding to and following up on vulnerabilities.
The analyst added that while many enterprise clients do not realize they have the power to move markets, they could get action from security software vendors by simply expressing their concerns regarding quality and security.
“You want to see a vendor move quickly — they’ll be sprinting,” he said.