Security software is still software

The past few weeks, I'd noticed an annoying problem with my Edge Chromium browser. It was getting painfully slow and sometimes opening a new tab would cause the whole browser window to freeze. Ugh! It took me quite some time to find the solution: disable the hardware acceleration and things will go back to normal.

While I'm in no position to judge whether the root cause lies in the browser, or the video driver, or maybe both, I can't help but notice this ironic fact: a feature that's created to accelerate your browser, in reality, somehow manages to do the exact opposite.

Unfortunately, this ironic example is far from uncommon. Us security professionals have all seen the recent news about CVE-2020-27130, the critical vulnerability within the Cisco Security Manager, an enterprise security solution. The bug allows unauthenticated remote code execution, and the PoC was available in GitHub.

It isn't a surprise that this vulnerability will be exploited in the wild, but I would also argue that the underlying problem may not just be the vulnerability and the public PoC. If any organization exposes the Cisco Security Management management interface to the Internet, it unknowingly creates a big tear in its own asset and attack surface management.

As security professionals, we tend to poke fun at security issues of other software categories, and forget the age-old saying "The darkest place is under the candlestick." In priding ourselves on protecting the world's software from cyber attacks, we often forget that we too, develop and use software. Dangers are always where we least expect it--it's easy to find issues illuminated in the brightness of the flame, but the most dangerous issues are hidden in the darkness beneath--and we often miss them. Cyberark recently published a great blog related to vulnerability in AV software: "Anti-Virus Vulnerabilities: Who’s Guarding the Watch Tower?". It's an educational road trip and highly recommended read.

Security software, at the end of the day, is still software. It has vulnerabilities, adds complexities to the system, and may expose unnecessary attack surfaces. Security software should therefore be evaluated in its pros and cons as part of the overall asset and attack surface management, just like every other piece of software. Security professionals or not, let's step back and take a look at our security software just as vulnerable as all others--when we focus on using it to protect other software, we often neglect how protected it is in itself.

Years ago, there was a huge debate email thread in Microsoft's security discussion group. The question was, "Would you install AV software in the domain controller"? There was no consensus. In today's cloud era, the question might be, "Would you install the CWPP (cloud workload protection) agent in your critical cloud production instance"? What do you think? I am eager to hear your thoughts.