Security products are rarely secure

Become a Subscriber

As counterintuitive as it may seem to the average Joe, more security software often brings more vulnerabilities. Security software engineers are often focused on testing and breaking other software with tight integration points and thorough penetration tests. These engineers, however, are not often practiced or conscious towards securing their own software. Even something as basic and widely adopted as OpenSSL, which is an open source library used by millions of products, was recently discovered to have a huge security issue called Heartbleed. This vulnerability may have been known by hackers for the years since it slipped into the source code of OpenSSL on New Year’s Eve of 2011, since it was not discovered and patched until April of 2014.

Even the most basic of encryption protocols can have holes like this, so it only makes sense that large antivirus programs and complex intrusion detection software may have similar or even more grand bugs in them. Less is more when it comes to security, and proprietary versus open source each comes with tradeoffs when it comes to vulnerabilities.

As if the insecurities in software weren’t enough, many businesses add to the problem when they invest in software or hardware tools that are then never properly installed. By only partially integrating a system, such as antivirus software, but neglecting to set up automatic updates and patches, the tools become vulnerable to simple zero-day exploits. Same goes for hardware boxes and firewalls, which are often purchased but then never installed because the business does not want to be inconvenienced with the downtime that may be required for installation.

There are many industry problems that need to be addressed, such as transparency in vulnerabilities and exploits introduced to software. Companies that make security software and hardware don’t want to receive the bad press that comes with a patch that fixes a hole with their product, but this silence makes for a lack of recognition of importance. If more businesses cared about security systems and created a demand for better software and hardware, it is likely we would see a shift of providers trying to create more integrated and hassle-free products over time.