Critical vulnerabilities discovered in Symantec and Norton security products. Here below Chris Wysopal, CTO and co-founder at Veracode, reflecting on how security software is second to worst category of software for application security.
Chris Wysopal, CTO and co-founder at Veracode:
“The critical vulnerabilities discovered in Symantec and Norton security products are not a surprise – Veracode’s State of Software Security v3 (SoSSv3) report shows security software is second to worst category of software for application security.
And in general the code you buy is worse than the code you build because the operator of the software retains all liability not the software vendor. This is why security conscious organisations typically build more secure apps than the apps the buy like security software. From SoSSv6:
All these things add up to making security software an attractive target for attackers. Vulnerabilities are plentiful and the software is running with elevated privileges. I’m surprised we don’t see more disclosures around security software. Perhaps more bug bounties are needed in the security software marketplace.”