We use security products to secure our systems and our businesses. However, the very security products we use, can themselves have vulnerabilities which can leave us susceptible to attacks. We conducted a study recently to understand the vulnerability trends in security products.Read further to know more on what we discovered this time around.

How was the research conducted?

We started off with some survey on the internet to find something closely related to vulnerability trends in security products. As part of our survey, we came across many interesting articles but could not find exactly what we were looking for. Finally, we decided to pull out data from NVD vulnerability database and run some SQL queries to create some interesting statistics.

Click here to download the full report

Key findings of the Report:

• Total vulnerabilities reported in Security Products in 2012 have increased sharply with a CAGR of 37.29% over the last 3 Years. Tweet this!

• Anti-Virus alone accounts for 49% of the vulnerabilities reported in Security Products followed by Firewall with 24%. Tweet this!

• Top 3 Security vendors with maximum vulnerabilities published in 2012 are McAfee, Cisco followed by Symantec. Tweet this!

• Top 3 Security products with maximum vulnerabilities published in 2012 are Rising-Global’s Antivirus , Cisco’s Adaptive Security Appliance and Ikarus Virus Utilities.Tweet this!

• Access Control is the most prominent weakness in Security Products followed by Input Validation. Tweet this!

• SQL Injection is the least found vulnerability among Security products in 2012. Tweet this!

Click here to download the full report

(Read more: How would you describe the CISO role on Twitter?)

Conclusion:

Security products have been targeted by the hackers from the time they were introduced in the market.It should be noted that vulnerability findings in security products and software follow similar trend as any other general purpose commercial or open source product. It is also quite evident from our study that security products are vulnerable to same type of vulnerabilities such as Buffer Overflow, MITM, Information leakage etc. as any other products used in the organizations.

Some of our major predictions:

• There will be an increase in attacks on security products, companies or solutions.
• The majority of vulnerabilities discovered will not become public and shall remain in the hands of APT (Advanced Persistent Threat) actors.

How to combat vulnerabilities in Security Products?

• Ask for security certifications of the products and independent third party penetration testing reports as part of    procurement process.
• Conduct independent penetration testing of security infrastructure/solutions.
• Create an efficient detection and response mechanism.

Click here to download the full report

Disclaimer:

We have used well known vulnerability standards and database like Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD). One of the major challenges we faced was in classifying the products into security and non-security products, as the current product standard (CPE) does not support it. We solved this challenge by considering that security products have certain keywords like, ‘ ID‘virus’, ‘firewall‘, ‘IPS‘, ‘scan’ etc. Hence there are chances of some date being missed and the report should be considered as indicative. iViZ disclaims all warranties, expressed or implied, with respect to this research for any particular purpose.

Original Blog: http://www.ivizsecurity.com/blog/penetration-testing/vulnerabilitie...