Security Vendors Lacking Good Security


In two separate incidents ealier this month, well known security companies had their web sites breached as a result of SQL injection vulnerabilities.  The first was Kaspersky Labs, an anti-virus vendor which reported the incident on February 9.  Two days later, it was reported that BitDefender, another anti-virus vendor also had their web site hacked by the same Polish hacker who had successfully breached the Kaspersky site.  Again, a SQL injection vulnerability was the cause.

If you do not pay attention to reported incidents and vulnerabilities, you might assume that security vendors would not frequently be the victims of web hacks or have vulnerabilities found in their software.  However, nothing could be further from the truth.  I have been in the security industry for over 13 years and sadly, the companies that are selling security software and services seem to be just as likely as everyone else to be on the wrong end of a security problem.  McAfee, Trend Micro, Barracuda, Cisco and Check Point (to name just a few) all reported serious vulnerabilities in in their products in 2008.  And now we are seeing security companies falling victim to web application attacks as well.

We should demand more from our security vendors.  These are the companies that are securing our infrastructures and protecting our data.  They need to ensure that the products they are selling are secure, because as a consumer of these products, I cannot afford to take the chance that my environment will be compromised due to a weakness in their systems.  And I certainly don’t want to be in a situation where I am frequently applying security patches to my security systems.  I for one will avoid purchasing products from any security vendor that has a poor track record of providing quality, secure products.  This is the only way that they will get the message that we expect more from the vendors that we entrust with the security of our data.

Comments are closed.