InfoWorld: When your security products are insecure: Takeaways from the Symantec disclosure

Why vulnerabilities in security software is not a surprise

By Chris Wysopal
Jul 8, 2016

Tavis Ormandy, a member of Google's Project Zero initiative, recently discovered a series of vulnerabilities in Symantec's security products that he describes as "as bad as it gets." Affecting both the company's consumer and enterprise products, these vulnerabilities are far-reaching and can't all be patched with automatic updates.

Ormandy writes of these vulnerabilities, "They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

Although an insecure security product might seem like a shocking development, our research has found security software to be notoriously insecure. Which means, even though the security software is protecting against some attacks, it also carries its own vulnerabilities that open up the system the software is installed on to additional attacks.

We've also found third-party software in general to be rife with vulnerabilities. In turn, if your application security plan only applies to the code you're developing internally, you're making cyberattackers' lives a lot easier. All software, internally developed or vendor sourced, adds risk to your organization and needs to be part of your risk management process.

Click the URL above to read the full article