False Protection

Don't worry about defending your operating system—first, check your security software! Formerly, OSes were the victim of choice for cracker attacks. But on Monday, June 20, 2005, the Boston-based analyst firm Yankee Group released a study of industry vulnerability data that reveals an ironic new target—the very software used to shore up system security.

"It's not so much that vulnerabilities in and of themselves are a problem; the problem, of course, is the bad guys who use them to create packaged exploits, taking unprocessed uranium and making munitions out of them," Group Senior Analyst Andrew Jaquith told Software Development. "We don't want security software to become a preferred conduit for professionally designed malware."

The group's 15-month analysis of ICAT, the computer vulnerability database from the Computer Security Division at the National Institute of Standards and Technology, reveals 77 vulnerabilities affecting a range of security products, with the rate of increased attacks matching that of the growth of the industry itself.

What caused this shift from the system to the programs designed to protect it? The study posits three reasons: First, Windows' ongoing improvements in its most easily exploited security flaws, notably Windows XP, Service Pack 2. Second, due to a lack of third-party and media analysis, security companies may have grown lax in development, testing and repair of potential problems, turning their antivirus and host intrusion prevention products into an easy bull's-eye.

Finally, the security specialist merry-go-round may also be making the new target more attractive. Security assessment vendors such as eEye offer detective services to ferret out flaws in their competitors' security products; these companies then offer their own security analysis products on the market—revealing detection signatures for their competitors' offerings. This tail-chasing process, the study claims, accounts for one-quarter of the security product vulnerabilities in 2004 and 2005.

But don't go tossing your firewall in the trash. According to Jaquith, "Vulnerabilities are not necessarily an indicator of code quality. The number one determinant is the motivation to go and find them. Security researchers are often motivated by oneupmanship: 'I can find more holes than you can.' They want to find something new and exotic that hasn't been publicized as much. And when you've had the number of published vulnerabilities that the Microsoft products have, it's more exciting to find something new, and security software is a sort of greenfield opportunity."

And, though less popular OSes like Apple OS X and the Linux stable may not be attracting significant cracker attention to date, they're no reliable refuge.

A Rising Trend The Yankee Group study reveals 77 vulnerabilities affecting a range of security products, with the rate of increased attacks matching that of the growth of the industry itself.

Naming Names
So who's the 90-lb. weakling on the beach? The study fingers the ubiquitous Symantec products, which saw a marked and ongoing rise in security flaws since 2003, a trend that appears unabated up to the present. Cracks in Check Point and F-Secure products also increased significantly throughout 2004, while McAfee and other vendors were less likely targets.

"The interesting thing is that these security software vendors are not always practicing software security," says Gary McGraw, CTO of Cigital and author of, among many other works on security, last year's top-selling Exploiting Software (Addison-Wesley). "What we need to do is get those network security providers to become software security practitioners. Then we need to build better software, building security into the product itself."

Are any vendors enacting this best-practice philosophy? "Some have been doing a lot of work lately," McGraw says. "Microsoft, Qualcomm and some other vendors are building much more solid software. But too many companies are just trying to solve the network security problem without solving the software security problem—and that's not possible."

Things to Come?
Although publication of these vulnerabilities isn't a definite harbinger of doom, some security researchers release public proof-of-concept code in their vulnerability announcements—ostensibly for the good of vendors, security administrators and researchers. But when crackers get their hands on this data, creepy crawlies come out of the woodwork.

A March 2004 eEye advisory document revealed a buffer overflow flaw in several ISS desktop firewall and intrusion prevention products, including ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop and BlackICE. Techniques published in the document were exploited just days later in the emergence of the Witty worm, which deleted a randomly selected section of the hard drive, eventually rendering the victimized PC unusable. The worm's payload contained the phrase "(^.^) insert witty message here (^.^)"; hence its name. "Witty worm is the only documented instance I'm aware of that has turned into a mass exploit," Jaquith notes. "While that's the only one to date, what's worrying is that there could be more."

Home Remedies
What can be done to stem this lethal leaching? The nature of security software—its elevated user privilege and wide reach throughout the operating system—makes it an inherently enticing target. But common sense can go a long way in the search for security.

The answer lies in personal responsibility, according to Jaquith. "Vendors have to engineer security into the development application lifecycle, get developers to have core responsibility and give them the tools to do it."

He advises security software developers to conduct early and frequent design review, run nightly regression tests and frequent code base reviews, keep privilege levels and authorization management in the forefront, analyze component authentication, ferret out buffer overflows, and perform checkpoint reviews with security-knowledgeable people. "Basically, you can barrage the software at every major release with a penetration test."

Security in Jeopardy According to Yankee Group Senior Analyst Andrew Jaquith, "Vulnerabilities are not necessarily an indicator of code quality. The number one determinant is the motivation to go and find them."

Ultimately, vulnerability is a quality problem to be remediated through a quality mind set, Jaquith points out. A zeal that matches the crackers' energy is of paramount importance. "There are degrees of intensity, but people who take this seriously tend to be fairly passionate about it," Jaquith notes. "Passion is the key here."

But Jaquith also sees value in thinking negative. "From a QA testing point of view, in addition to normal functionality tests, you need to test for the things the application is not supposed to do. Essentially, this is what I'd refer to as a negative test. If your security product has a Web form on it, why not change the inputs a bit, so instead of giving it a normal type of input like yes or no, toss a thousand As at it to make it fall over? Take the assumptions you have about how the program works and blow them up and try to trick the program," he advises.

At the enterprise level, it pays to be prepared. Bolstering the patching infrastructure and analyzing security products' auto-update mechanisms are essential procedures in our insecure world.

Contract renewal, Jaquith also recommends, is another opportunity for increased security. When deciding on a software security system or vendor, don't settle for bluster or dismissal—demand hard evidence of best practices and a comprehensive method of detecting and repairing problems found by staff, customers or third parties.

Finally, diversity pays. A wide array of antivirus products from varying vendors can tighten your organization's overall security, as do multisourced solutions from different code bases.

McGraw sees the problem as emblematic of a major blindness in the industry. "The security software providers are not practicing software security. We need to get network security providers and vendors to realize that the root of the security problem is broken software. "

Easier said than done, but the Yankee Group's new study has definitely put the problem on the table. "Vendors may think they know everything they need to know about security," McGraw says, "but this shows that they don't."