Security products appear to be creating greater insecurity.
That's the conclusion of a recent survey of vulnerability trends in security products, released by iViZ Security Inc. The vulnerability testing company, based in Sudbury, Mass., found that overall vulnerabilities in security products introduced in 2012 rose sharply at a compound annual growth rate of nearly 37.3% over the last three years.
Antivirus products led the way, accounting for 49% of the software vulnerabilities reported in security products surveyed by iViZ. At the other end of the vulnerability scale, SQL injection was least common.
In surveying the various weak points in security products, iViZ said it defined a weakness as a bug or flaw in product code that could lead to security software vulnerabilities. Based on that approach, it found the two major weaknesses in security products are access control and input validation. Compared to 2011, it found "a sharp increase in access control vulnerabilities."
Since hackers increasingly target security products as soon as they hit the market, it's perhaps not surprising that major security vendors like McAfee, Cisco and Symantec accounted for the most vulnerabilities found in products released in 2012.
The survey also noted that similar vulnerability trends can be seen in other commercial and open source products.
"This is not just a call to action for [security] vendors," said Dan Cornell, a principal analyst with San Antonio, Texas-based Denim Group. "This is a call to action for [independent software vendors] that build software that is widely deployed."
Ubiquity of software like Java and hosted services like Adobe Reader present particular challenges for vendors, Cornell added, because they provide a platform for security exploits to spread. Based on the results of iViZ's survey and others, Cornell said he sees a growing mandate from the security market for vendors to produce and deploy secure code.
The upshot, iViZ predicted in its survey conclusions, will be an increasing number of attacks on security products while the majority of vulnerabilities found will remain undisclosed. That also means these weaknesses could still be exploited as advanced persistent threats grow against commercial networks and various security products.
According to the iViZ survey, the number of vulnerabilities found in security products had been declining since 2007, bottoming out in 2011. Along with antivirus vulnerabilities, firewall breaches and intrusion detection and protection products accounted for most of the security gaps last year.
After listing a series of high-level attacks during 2012 on U.S. security companies like Symantec, Panda Security and Barracuda Networks, the survey concluded that "compromising a security company may lead to some kind of chain of security breaches all around the world."
Through its own penetration testing, iViZ said it had discovered remote code execution and data-stealing vulnerabilities in various antivirus products.
The company used widely accepted vulnerability standards and databases in its survey, including Common Vulnerability Enumeration, Common Product Enumeration and the National Vulnerability Database (NVD), the U.S. government's repository of vulnerability management data. (According to reports, the NVD itself was hacked in March, bringing down a public website and other services after a malware attack on two servers.)
As for combating vulnerabilities in security products, iViZ recommended buyers request security product certifications and independent penetration tests. It also recommended proactive measures, like an efficient detection and response mechanism when a vulnerability is exploited.
Despite growing insecurity, Cornell said he sees some progress toward securing code in ubiquitous hosted services like Adobe. He pointed to Adobe's appointment in April of Brad Arkin as chief security officer.
"Adobe has some of the most widely deployed software in the world and we are keenly aware that this makes us a target," Arkin said in a recent blog post, adding that he would "continue to manage and foster two-way communication with the broader security community, a vital part of the central security function."
Cornell concluded that companies like "Adobe have made progress, but they have a hard problem," namely, securing millions of lines of code while keeping pace in fast-moving markets. Ultimately, these vendors must focus on the "security of their features," Cornell added.