The past 7 days or so have been painful for security vendors, particularly IPS vendors. Several prominent security vendors were reported to have vulnerabilities of varying severities. Here is a quick breakdown from Secunia:
TippingPoint secunia.com/advisories/21154/
TopLayer secunia.com/advisories/21218/
ISS secunia.com/advisories/21219/
Fortinet secunia.com/advisories/21214/
iPolicy secunia.com/advisories/21215/
Sidewinder secunia.com/advisories/21217/
McAfee secunia.com/advisories/21264/
Astaro secunia.com/advisories/21213/
Barracuda secunia.com/advisories/21258/
There are probably more…I just ran through the list quickly.
This is troublesome to say the least. Every product is going to have bugs. It’s generally by-product of the release cycle, vendors have to meet product ship dates. If you don’t there are potential issues from the executive team, the board, analysts and waiting customers. This is not going to change near term.
This should hit home twice as hard for the security vendors. We in the security industry have been talking abut secure coding practices fro some time. There are even companies that will scan your source looking for bugs, like Coverity. There are others, but I mention Coverity specifically for the outstanding work they are doing for Open Source projects like Firefox and OpenOffice.org. Customers are looking to us as an industry to protect them and their interests.
Security vendors are being targeted more I’m sure. It seems like the skill set on the cracker side is swinging away from the script-kiddie end of the pendulum. I know I am preaching to the choir but it bears repeating.
–Chris
Technorati Tags: security vulnerabilities, vendors, secure coding
Leave a Reply