Security software frequently runs with higher privileges than average software, as it needs to inspect data going to and from other applications and needs deep access to the operating system.
The operations often require complex parsing and pattern detection, which typically result in complex and bug-prone code, said Chris Wysopal, CTO and co-founder of Veracode. As a result, exploitable vulnerabilities in security software typically leads to complete system compromise.
The biggest sin in the Symantec story is using outdated third-party libraries containing known vulnerabilities and not updating those libraries with newer, more secure versions.
Unfortunately, though it's a best practice to use the latest versions of third-party libraries, it doesn't always happen. The updated libraries and packages may break existing functionality or may depend on deprecated functionality, which would require changes to the software.
Considering the nested nature of software development, where libraries use other third-party components, developers often don't even realize that they are relying on older and vulnerable code within their applications.
Open source security company SourceClear has a tool to help developers identify what open source libraries they are using and what vulnerabilities exist so that they can identify and fix known and emerging security threats. Black Duck Software's platform also detects and alerts for issues on Linux subcomponents when they are used to build applications and containers.
But the development teams need to use those tools or take other steps to keep libraries and packages up-to-date.
Just because software comes from a security vendor doesn't automatically mean it was written by a team of developers well-versed in security.
"Security software vendors hire from the same pool of developers who in general have had no security training in college or on the job security training," said Wysopal.
Enterprises expect products from large vendors and well-known brands to be tested and secure, but vulnerabilities can be found in any application.
Relying on any one application or technology for security is a losing proposition. Antivirus software and endpoint security products are often considered mandatory elements of a good enterprise security environment. While there is a growing realization that they aren't enough, there is still a lack of awareness that the software itself could act as the doorway for attackers.
There's the social engineering aspect, where attackers craft malware specifically to bypass specific types of antivirus, and users let down their guard when they see the malware because they figure the antivirus would have stopped it if it was really bad.
Then there are the vulnerabilities themselves. If attackers find the vulnerabilities and figure out a way to exploit them, they would have an enormous victim pool to target.
A defense-in-depth strategy, where additional layers of security technologies block threats that squeak past front-line defenses, is essential for any enterprise. More important, organizations have to make sure they aren't simply applying the same level of security across the board. The more effective approach is to consider the risks, identify where the most sensitive systems and data reside in the local network, and make sure appropriate security measures are applied.
Security isn't a product, but a process, which means organizations have to continually assess risk and update their defenses.
Sign up for CIO Asia eNewsletters.