Security software 'full of holes'

Security software has become an "obvious target" for hackers

Hackers are increasingly targeting security software rather than operating systems, according to a new report from The Yankee Group.

The analyst firm explained that many of the easiest flaws in Windows XP have been found and blocked, especially since service pack two was released.

Since hackers target ubiquitous software, and most computers have security systems, they have become an obvious target.

"It's a logical step," said Greg Day, an analyst at McAfee, which has shown one of the biggest improvements in reducing vulnerabilities this year.

"As a security company if you can't keep your own house in order how can you handle other people's security? It's kind of like Michelin at last weekend's Grand Prix: when your key product can't deliver you take a hit in reputation."

Day said that initiatives in the McAfee offices to improve code included posting good coding examples in highly visible places in the developers' offices to remind them to be security conscious.

Overall, however, many security vendors were savaged in the Yankee Group report, entitled Fear and Loathing in Las Vegas: the Hackers Turn Pro.

"Not all security vendors are ready for the rising tide of vulnerabilities that flaw-finders will inevitably discover in their products," said Zeus Kerravala, infrastructure global practice leader at the analyst.

"Analysis of a cross-section of data revealed that publicly disclosed vulnerabilities disproportionately affected Symantec products versus any other security vendor during 2003 and 2004, and 2005 appears to be trending in the same direction.

"Check Point and F-Secure saw a large increase in vulnerabilities in 2004 compared to the previous year."

The survey also highlights the contribution of security assessment companies like eEye and Qualys. These companies specifically target security vendors' software for flaw analysis as it helps them sell their own security products.

Of the flaws reported in 2004-2005 security assessment vendors were the largest source of flaw information, highlighting 26 per cent of flaws.

Another quarter came from independent researchers, 18 per cent came anonymously and 16 per cent from vendors disclosing their own software defects.

Companies are advised to "ask pertinent questions impertinently" to their security vendors, and to diversify their security software so that they are not relying on one vendor.