Should Security Companies Do Better With Product Security?

New Trend Micro bugs are the latest in a long string of vulnerabilities discovered in security products over the span of the last year.

A Google Project Zero Researcher, Tavis Ormandy, recently identified a critical vulnerability in Trend Micro's Maximum Security, Premium Security and Password Manager products. This flaw, a debugging service likely left enabled from the product's development, allowed an attacker with the ability to interact with that service to execute their own code with administrative privileges.

This issue is but the latest in a long string of vulnerabilities discovered in security products over the span of the last year. MWR's Benjamin Harris has previously disclosed a range of issues in Trend Micro's Threat Intelligence Manager product. Tavis Ormandy has also disclosed numerous serious vulnerabilities in a range of other vendors' products, including those produced by Avast, Comodo, FireEye and others.

Security firms should be held to the same standard of secure development practices as the rest of the software industry, but given their product focus it would be hoped that they would lead the industry in secure development. It would appear that they are, instead, towards the weaker end of the spectrum. It is important that every piece of software on a machine is secure, as attackers tend to look for weak points in the overall system rather than targeting specific software. A critical issue such as this would be severe in any piece of software, but it is disappointing to see security products released with such serious vulnerabilities given the issues they are sold to solve.

Security firms are subject to the same time and resource pressures as every other software development company; if a project is poorly managed then it is common to find that adequate security reviews and assessments are not conducted, in order to save time and money to keep within deadlines and budgets. Given their focus on security these issues should be in the forefronts of the minds of such product development teams, but developers working on security product development teams are rarely themselves security experts. Such teams should be looking to invest both in adequate penetration testing and application security assessment as part of their release cycle, but also on improvements to their development lifecycle to catch such bugs earlier in the development process.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.