Some accountants embezzle. Some cops steal. Some lawyers lie. But we still trust them to protect our interests...
-- and most often that trust is justified. Though we hold them to a higher standard, we need to be prepared for disappointment. Such is also the case for security software.
We expect security software that guards our systems, applications and data to be better than other software: more stable, more reliable and certainly more secure. Recent vulnerability disclosures for well-known security products show that this software suffers from the same kinds of problems as the applications and operating systems that administrators constantly patch.
However, there is a major difference: If attackers can successfully leverage security software vulnerabilities, all the goodies are exposed. It's like the bank guard leaving the vault door open while nipping out to get jelly donuts. For this reason, any vulnerabilities in security software are far more significant than similar vulnerabilities in ordinary applications.
So, how bad is the security software problem? Do some security software vendors have a worse track record than others? Does the problem seem to be getting better, or worse? And what, if anything, can we do to protect ourselves from such vulnerabilities?
A rough numerical indication of vulnerabilities listed in the Secunia security database provides a qualitative idea of the problem and shows important trends. Criteria was that the vulnerabilities be serious (moderately, highly or extremely critical) and damaging (permitting denial of service, exposure of sensitive system information, system hijacking, ID spoofing, manipulation of data, privilege escalation, security bypass or system access).
From Nov. 2002 through March 2004, 64 advisories matched these criteria for 23 security vendors. The vendors with the most advisories were NetScreen (9), Symantec (including Norton and Raptor products) (8), Kerio (6), CheckPoint Software Technologies (5), BlueCoat (4), F-Secure (4), Internet Security Systems (3), McAfee (3) and TrendMicro (3). The first six vendors on this list account for more than half of the advisories. Some vendors had very few advisories, including Deerfield, eTrust (Computer Associates), GlobalSCAPE, Ingate and SSH Communications, with two advisories each, and Finjian, Fortinet, Infopulse, Kaspersky Labs, Panda, RSA, Secure Computing, Sophos and Sygate Technologies, with one advisory each. Secunia lists several other vendors in its database, but had no advisories meeting these criteria.
Sheer number of advisories may not be indicative of the most insecure software; some products may receive greater scrutiny than others, and more vulnerabilities might be found as a result.
The advisories revealed that these vulnerabilities are due to the same types of flaws seen in other software; for example, overflows were part of the problem in 14 of the 64 advisories. Also notable are vulnerabilities attributable to flaws in included components and protocols, such as OpenSSL (8), ActiveX (4), SSH and OpenSSH (4) and H.323 (1). This suggests that the vulnerability problems that security vendors are encountering are not entirely due to security-specific difficulties in implementation. They're making the same mistakes that everyone else is making.
The average number of advisories over the span studied was 3.5 per month. By examining the advisories month-by-month, it's clear that the number is growing steadily. January, February and March had six, seven and 11 advisories respectively. A linear regression of the data suggests that the average will double in about six months.
Given the recent emergence of attack scripts deployed rapidly after the announcement of software vulnerabilities, it seems fair to conclude that attackers will try these attacks on security software. In fact, security software might become a target of choice: Once an attack brings down security, the system could be wide open for exploitation.
Administrators and managers need to consider the vulnerability of their chosen security solutions. Studying advisories may suggest which vendors are doing a good job securing their own products. It may be necessary to deploy multiple solutions -- from different vendors -- to address a single problem. One thing is clear: Until we learn to create flawless software, we can't trust the software we must trust.