Vulnerable AV Software, When the Cure is a Problem

Padlock.jpgSecurity can introduce new risks.  A disturbing research report emerged exposing serious weaknesses in mainstream Anti-Virus (AV) applications.  Software which is protecting millions of computers from malware, is itself vulnerable to attack and compromise.  We all place trust and faith in our AV solutions to protect our devices, data, and experiences.  Predominately client based software, they are at risk of containing vulnerabilities in their programing, just as any other application.  Proper development, coding, and quality assurance testing are key to keeping all types of software free from bugs and potential exploitation.

The very tools we rely upon for security may be turned against us.  An attacker could exploit one of these weaknesses and compromise the device.  This is not acceptable.  Security technologists must drive to earn trust.  It begins with the components they use, designs they create, software they write, and the manufacturing process to pull it all together.  The tech industry as a whole has the growing responsibility to produce secure software, hardware, and services.  The software sector already struggles with a dreadful number of flaws as they race to release new versions.  Security software must be held to a higher standard, as they have built their customer bases with the expectation of providing additional protection against lesser software.

The good news is two-fold.  First, this research came to light by upstanding researchers who made the information public, been working with some of the vendors directly, and strongly advocates all security vendors go back and thoroughly test their products.  The alternative, only malicious groups knowing of these vulnerabilities, could spell disaster for many.  Secondly, most of the AV vendors quickly responded with fixes and likely have taken this bruising experience as motivation to further enact more robust development and testing as part of their release process.

As for the security industry as a whole, we must all learn from this experience.  No matter your role, we are all responsible for good processes, ethical practices, and to foster growing trust with every user of technology.

Twitter:  @Matt_Rosenquist    
IT Peer Network: My Previous Posts
My Blog:  Information Security Strategy

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.