According to Yankee Group, the traditional focus on operating systems in security circles is giving way to looking for vulnerabilities in security software.
“A more fascinating and profitable area exists in finding vulnerabilities in the products meant to defend against the attacks themselves,” said Andrew Jaquith, Yankee Group senior analyst in Security Solutions & Services. “It is time for the security vendors to stand up and make their own products more secure before they become preferred conduits for professionally designed malware.”
In the 15-month period through March 2005, Yankee said security vendors reported 77 separate vulnerabilities, and noted that “if 2005 trends continue, the number of vulnerabilities for security products will be 50 percent higher than 2004 levels.”
Fortunately for harried security personnel, Yankee reports that “actual exploits targeting security products have lagged behind the disclosure of vulnerabilities themselves.” The firm noted that only one such mass exploit, the Witty worm, has been released.
“Although the security vendor targeted by the Witty worm tightened up its products,” said Yankee, “other security vendors did not heed the warning. The result has been the spate of vulnerabilities documented in this research.”