Should Security Companies Do Better With Product Security?

New Trend Micro bugs are the latest in a long string of vulnerabilities discovered in security products over the span of the last year.

A Google Project Zero Researcher, Tavis Ormandy, recently identified a critical vulnerability in Trend Micro's Maximum Security, Premium Security and Password Manager products. This flaw, a debugging service likely left enabled from the product's development, allowed an attacker with the ability to interact with that service to execute their own code with administrative privileges.

This issue is but the latest in a long string of vulnerabilities discovered in security products over the span of the last year. MWR's Benjamin Harris has previously disclosed a range of issues in Trend Micro's Threat Intelligence Manager product. Tavis Ormandy has also disclosed numerous serious vulnerabilities in a range of other vendors' products, including those produced by Avast, Comodo, FireEye and others.

Security firms should be held to the same standard of secure development practices as the rest of the software industry, but given their product focus it would be hoped that they would lead the industry in secure development. It would appear that they are, instead, towards the weaker end of the spectrum. It is important that every piece of software on a machine is secure, as attackers tend to look for weak points in the overall system rather than targeting specific software. A critical issue such as this would be severe in any piece of software, but it is disappointing to see security products released with such serious vulnerabilities given the issues they are sold to solve.

Security firms are subject to the same time and resource pressures as every other software development company; if a project is poorly managed then it is common to find that adequate security reviews and assessments are not conducted, in order to save time and money to keep within deadlines and budgets. Given their focus on security these issues should be in the forefronts of the minds of such product development teams, but developers working on security product development teams are rarely themselves security experts. Such teams should be looking to invest both in adequate penetration testing and application security assessment as part of their release cycle, but also on improvements to their development lifecycle to catch such bugs earlier in the development process.




As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.