Vulnerability-testing company Secunia has published its annual report (pdf) on security vulnerabilities earlier this week. In the report, Secunia noted that some CA products containing anti-virus components suffer from “inherent code problems.” One CA product singled out for criticism was ARCserve Backup, which the security company says is poorly coded.

In an interview with sister site ZDNet UK, Thomas Kristensen, Secunia’s chief technology office noted, “ARCserve is inherently insecure. It’s poor code, with a poor design. An internal code review should have revealed problems in the code that needed to be fixed before the product was launched.”

The surprise stems from the fact that many of the same vulnerabilities reported in June 2007 continue to plague the software, despite patches being released to fix them.

According to Thomas Kristensen, “It’s bizarre to see a patched product with vulnerabilities coming from a security vendor. It’s not very smart to have vulnerabilities in a backup solution, as it’s deployed on every workstation on a system, making the system more vulnerable.”

CA declined to comment on the effectiveness of its ARCserve patch.

Do you use CA’s ARCserve in your organization?