Please support our Software Development advertiser:
Featured Entry 
Jul 27th, 2007, 4:52 am
If you were to just take weekly media reports and monthly security researcher statistics as your metric, then I suspect it would be a safe bet to suggest that you would say software security vulnerabilities are on a steep upwards curve. Furthermore, it is just as likely that given the media exposure to such events as Microsoft Patch Tuesday and the furore when Adobe or Apple announce a hole has been discovered in a high profile product, you would say that things are only getting worse as far as the big software vendors are concerned.
The thing is, when you have statistical tunnel vision it becomes very difficult to see the bigger picture. But that panoramic view, surveying the software vulnerability landscape over the last five years, is just what Gunter Ollman, Director of Security Strategy at IBM Internet Security Systems has been looking at.
And he has come up with a, frankly, surprising conclusion that as far as the top ten software vendors contributing to vulnerability disclosure statistics are concerned, the trend is actually a downwards one. Using data collated by the IBM ISS X-Force security research labs, Ollmann was able to do the math and discover that despite there being a record growth in vulnerability disclosure during 2006, up 39.5% over 2005, the contribution by the top ten vendors has decreased from 20.2% to 14.6% during the last five years.
In his IBM ISS blog posting, Ollman quite rightly talks about major vendors producing the most popular products, packed with ever more features and functions. The more features you put into software, Ollman argues, the greater the frequency of software bugs and related vulnerabilities that appear. However, he goes on to suggest that improved QA and testing by these vendors, removing the 'low hanging fruit' of days gone by, makes their applications less likely to be ripe for vulnerability picking. Conversely, smaller companies with myriad new products have arrived on the scene which do have easy pickings, and this has diluted the overall vulnerability pool.
I questioned Ollman about the figures, especially with regards to the relativity of the argument. After all, like most people I get the distinct feeling that the actual numbers of individual vulnerabilities applicable to the major vendors is on the up, not declining. This relative downturn thing is all a bit of a red herring is it not? Even if you do take those relative figures at face value, given the available resources the big players have available to them, surely 14.6% is way too high a figure anyway?
Here's what Gunter Ollman told DaniWeb "the largest vendors have been maturing their QA and testing processes to identify software vulnerabilities over the years, and this analysis supports the idea that this investment is working. However, the total volume of new products being released by all software vendors (including the top 10) has similarly been increasing. Which means that new "unexplored territory" is constantly being created for security researchers - e.g. Microsoft's Vista, Apples iPhone, Google's Maps, etc. Personally I think that there is still substantial room for improvement in the QA and testing processes used by the largest software vendors, and I expect further refinements as they evolve their strategies. However, I would also point out that too few non-top-10 vendors have been adopting the processes and lessons learned from the big vendors in securing their products. These smaller vendors are a soft spot for the security community and provide nearly all the low-hanging-fruit being disclosed (e.g. SQL Injection, file format vulnerabilities, etc.) I think it would be interesting for someone who has access to the revenue information for all the major software vendors to provide some level of comparison of number of annual vulnerabilities in their products vs. their global software revenue. That would probably shed more light on to the scale of positive work the largest vendors have undertaken to get their products more secure."
The thing is, when you have statistical tunnel vision it becomes very difficult to see the bigger picture. But that panoramic view, surveying the software vulnerability landscape over the last five years, is just what Gunter Ollman, Director of Security Strategy at IBM Internet Security Systems has been looking at.
And he has come up with a, frankly, surprising conclusion that as far as the top ten software vendors contributing to vulnerability disclosure statistics are concerned, the trend is actually a downwards one. Using data collated by the IBM ISS X-Force security research labs, Ollmann was able to do the math and discover that despite there being a record growth in vulnerability disclosure during 2006, up 39.5% over 2005, the contribution by the top ten vendors has decreased from 20.2% to 14.6% during the last five years.
In his IBM ISS blog posting, Ollman quite rightly talks about major vendors producing the most popular products, packed with ever more features and functions. The more features you put into software, Ollman argues, the greater the frequency of software bugs and related vulnerabilities that appear. However, he goes on to suggest that improved QA and testing by these vendors, removing the 'low hanging fruit' of days gone by, makes their applications less likely to be ripe for vulnerability picking. Conversely, smaller companies with myriad new products have arrived on the scene which do have easy pickings, and this has diluted the overall vulnerability pool.
I questioned Ollman about the figures, especially with regards to the relativity of the argument. After all, like most people I get the distinct feeling that the actual numbers of individual vulnerabilities applicable to the major vendors is on the up, not declining. This relative downturn thing is all a bit of a red herring is it not? Even if you do take those relative figures at face value, given the available resources the big players have available to them, surely 14.6% is way too high a figure anyway?
Here's what Gunter Ollman told DaniWeb "the largest vendors have been maturing their QA and testing processes to identify software vulnerabilities over the years, and this analysis supports the idea that this investment is working. However, the total volume of new products being released by all software vendors (including the top 10) has similarly been increasing. Which means that new "unexplored territory" is constantly being created for security researchers - e.g. Microsoft's Vista, Apples iPhone, Google's Maps, etc. Personally I think that there is still substantial room for improvement in the QA and testing processes used by the largest software vendors, and I expect further refinements as they evolve their strategies. However, I would also point out that too few non-top-10 vendors have been adopting the processes and lessons learned from the big vendors in securing their products. These smaller vendors are a soft spot for the security community and provide nearly all the low-hanging-fruit being disclosed (e.g. SQL Injection, file format vulnerabilities, etc.) I think it would be interesting for someone who has access to the revenue information for all the major software vendors to provide some level of comparison of number of annual vulnerabilities in their products vs. their global software revenue. That would probably shed more light on to the scale of positive work the largest vendors have undertaken to get their products more secure."
This blog entry was written by Davey Winder, staff writer aka happygeek. It has received 2,412 views, 1 comment, and 16 linkbacks. 1 voter has rated this entry 5 out of 5 stars. It was promoted to featured status Jul 27th, 2007.
•
•
•
•
advice antivirus apple botnet browser business crime cybercrime daniweb data development dos email encryption exploit forensic fraud google government hacking hardware help information internet iphone kaspersky linux mac malware mcafee microsoft mobile news phishing privacy report research satnav search security spam spyware terrorism trojan uk virus vista web windows worm
All Recent Tags Comments (Newest First)
jwenting | duckman | Jul 27th, 2007
•
•
•
•
Another factor was discussed at JavaLobby today. And that's overblown media reactions.
When 2 vulnerabilities were found in the Java runtime this month, the media went berserk over the massive increase in vulnerabilities in Java.
And indeed, the number had been 100% higher than over the previous 6 months, when a grand total of 1 problem had been discovered (and promptly fixed, just as these ones had been, in fact all had been fixed before any known exploits were out in the wild).
Of course anyone just reading that the incidence of security problems with a product has doubled over the space of a few months is going to be concerned, especially when they don't get to see the raw data about what numbers are involved (and what was done about them).
The same is no doubt true everywhere. And indeed with the increased efforts by software makers, it should come to no surprise to anyone that they find and fix more problems than in the past (problems which in the past would possibly have gone unnoticed forever until silently removed in the next release of the product instead of in a "security update").
When 2 vulnerabilities were found in the Java runtime this month, the media went berserk over the massive increase in vulnerabilities in Java.
And indeed, the number had been 100% higher than over the previous 6 months, when a grand total of 1 problem had been discovered (and promptly fixed, just as these ones had been, in fact all had been fixed before any known exploits were out in the wild).
Of course anyone just reading that the incidence of security problems with a product has doubled over the space of a few months is going to be concerned, especially when they don't get to see the raw data about what numbers are involved (and what was done about them).
The same is no doubt true everywhere. And indeed with the increased efforts by software makers, it should come to no surprise to anyone that they find and fix more problems than in the past (problems which in the past would possibly have gone unnoticed forever until silently removed in the next release of the product instead of in a "security update").
Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Software Development Marketplace
Related Blog Entries
- UK ISPs agree to throttle illegal music file-sharers (3 Hours Ago)
- WikiGoogle or GooglePedia? Nope, it is Knol actually. (15 Hours Ago)
- SF Password Hijack Highlights Importance of Process in City, State IT (1 Day Ago)
- Botnets boost click-fraud rate (1 Day Ago)
- Apple ships 2.5 million Macs, sells 11 million iPods and 717,000 iPhones in just 3 months (2 Days Ago)
- Limbo 2 Trojan comes complete with guarantee of invisibility (3 Days Ago)
- Fake UPS invoices deliver Pushdo botnet package (4 Days Ago)
- Security Holes Spring Up in Java Framework (8 Days Ago)
- iPhone 3G: It Was All Yellow (9 Days Ago)
- Consumer electronics revenue to hit $700 billion by 2009 (13 Days Ago)
Related Forum Threads
- recover partition data??? (Windows NT / 2000 / XP / 2003)
- drwin (Windows NT / 2000 / XP / 2003)
- Checking vulnerabilities without access to the source code? (IT Technologies and Trends)
- ::sigh:: another browser HJT log (Viruses, Spyware and other Nasties)
- Why does anyone buy a PC anymore? (Techies' Lounge)
- New iMac vs New PC - A purchase choice? (Mac Users Lounge)
- Opinion on Software Theft (Techies' Lounge)
- Resellers Account (Web Hosting Deals)
- [Article] Researching Your Target Audience - Online Tactics (Advertising Sales Strategies)
