I recently met a colleague for lunch who works for an anti-virus vendor.  During our conversation my lunch colleague highlighted some embarrassing mistakes his own company recently made with regards to faulty updates to their products.  I pointed out that Symantec recently crippled millions of PCs in China with a faulty signature update.  While this amused my colleague it made me think what other issues have appeared in the software we depend on to secure our systems and vital data.

To this end I researched the US National Vulnerability Database for vulnerabilities found in security software since the beginning of the year until the 1st of June…..

I have to admit what I found was depressing; over 144 vulnerabilities are known to have occurred in the software we use to protect our systems.  Don’t forget that there also may be additional vulnerabilities out there that are not yet public and either are known to the vendors as part of their own Q&A or are known to the bad guys who would rather keep the information for themselves so they can better attack their targets.  My findings are below.

Most of the major vendors be that commercial or open source, have been affected.  Of the 144 vulnerabilities, 35 were in various anti-virus software products with over 30 vulnerabilities being discovered in firewall technology.  So I guess the main messages to conclude are;

1. Ensure your security infrastructure is not reliant solely on software.  Remember People, Process and Technology are the three pillars to a secure environment.
2. Regularly review your security software to ensure it is up to date.
3. Develop a patch management process that should be specific to your security software.  Remember this is the software you depend on to protect your information, networks and systems so you may need to treat it differently from the accounting package deployed within your company.
4. When selecting a product do not be afraid to question the vendor on how they manage vulnerabilities, patches and updates for their products.
5. While having the above questioning session ask the vendor how do they alert you, their customer, to issues with their software.
6. Deploy your security systems in a layered approach to provide defence in depth.  This is to ensure if one layer of your security fails the other layers should continue to protect you.

Finally for those of you that are interested please find a list of all the vulnerabilities identified within the US National Vulnerability Database so far this year.  I have listed the products alphabetically, if you spot one of the products you use on this list then I recommend you check and make sure it is up to date with the latest version, after all you would not drive your car knowing the brakes may be faulty!