Security Products Riddled with Bugs

[Exterminator]

Nearly a quarter of the top 20 products with most vulnerabilities in the period August-October this year was security software, according to new research from Flexera Software.

The vendor’s Secunia Research team studied the top 20 in each month – comprising a total of 46 products across the report period.

Some 11 of these were security products from some of the world’s biggest and best known vendors including IBM, McAfee and Palo Alto Networks.

Part of the problem lies with open source and third party components, which are often reused in code without adequate checks to ensure there are no bugs present.

Jeff Luszcz, vice-president of product management for Flexera’s Software Composition Analysis solutions, explained that open source components comprise as much as half of the global code base.

“As the Heartbleed open source vulnerability reminds us, vulnerable open source components built into software products can cause global disruption if they are not discovered and patched prior to delivering software products to customers,” he added.

“Every software and IoT producer must understand these risks, and leverage technology to automate open source component scanning, governance and vulnerability management.”

The findings reflect research from Forrester released in October which revealed a host of security issues in products from many top vendors including FireEye, Symantec, Cisco and Fortinet.

The latest Vulnerability Update from Flexera also warned of the growing risk from commonly used browser and PDF readers.

To illustrate the point, seven such products appeared at least once on the top 20 products with the most vulnerabilities during the report period, the firm claimed.

In 2015, Secunia Research reported a whopping 16,081 vulnerabilities across more than 2400 products and 263 vendors in 2015 alone.

Some 1114 vulnerabilities were discovered in the five most popular browsers – Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari – and 147 bugs were discovered in the most popular readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.

 

[kev216]

They are no bugs, they are features
No more serious, bugs are inevitable in every software. As long as they are fixed as quickly as possible, it's good. But I've also experienced some irritating bugs on various AV solutions. Some vendors really have to work on that.

 

[Mohan Rajan]

I have just tested clipboard protection by spyshelter and it failed miserably as well as in screen capture.
I sent a mail and they expectedly blame it on other security software as though i can uninstall all other security software.
I think a point has come when we just need to depend on luck and some commonsense.

 

[jamescv7]

Part of the problem lies with open source and third party components, which are often reused in code without adequate checks to ensure there are no bugs present.

I should agree here, in software engineering the approach is simply called "software reuse" so you are modifying something however the source of code may not be optimized.

For example where BB's in AV may contain issues since the way it monitors does not meet the correct reference thus detection misfire.

 

[DardiM]

Thanks for the share

I think software have bugs because humans have bugs. Even testing our own security tool before releasing it :

=> once released, bugs will be found.
=> I don't think there is a software without bugs.​

A big problem : thinking on all possibilities is hard, because all possibilities are not known (or thought).

That is also why beta testing with a very important number of person is important ... but even this way there will be bugs ...

(About thinking on all possibilities :
Some very long years ago, a magneto-phone (you can see some on museum, hahaha ) "like" device was shown in a demonstration. All was ok with play, then stop, or rewind... But when somebody (from the assistance) pushed the forward and rewind buttons in the same time:
=> Oops ( =sorry, device broken !)
=> The developers have not thought about this possibility.
True or false story ?! It was reported to me by one of my prof (a researcher) when I was a young penguin. A lot of (lot of (lot of (lot of) ) ) years after this event, on a lot of situations where hardware / software are concerned, there are some analogies with this story)