If you were to just take weekly media reports and monthly security researcher statistics as your metric, then I suspect it would be a safe bet to suggest that you would say software security vulnerabilities are on a steep upwards curve. Furthermore, it is just as likely that given the media exposure to such events as Microsoft Patch Tuesday and the furore when Adobe or Apple announce a hole has been discovered in a high profile product, you would say that things are only getting worse as far as the big software vendors are concerned.
The thing is, when you have statistical tunnel vision it becomes very difficult to see the bigger picture. But that panoramic view, surveying the software vulnerability landscape over the last five years, is just what Gunter Ollman, Director of Security Strategy at IBM Internet Security Systems has been looking at.
And he has come up with a, frankly, surprising conclusion that as far as the top ten software vendors contributing to vulnerability disclosure statistics are concerned, the trend is actually a downwards one. Using data collated by the IBM ISS X-Force security research labs, Ollmann was able to do the math and discover that despite there being a record growth in vulnerability disclosure during 2006, up 39.5% over 2005, the contribution by the top ten vendors has decreased from 20.2% to 14.6% during the last five years.
In his IBM ISS blog posting, Ollman quite rightly talks about major vendors producing the most popular products, packed with ever more features and functions. The more features you put into software, Ollman argues, the greater the frequency of software bugs and related vulnerabilities that appear. However, he goes on to suggest that improved QA and testing by these vendors, removing the 'low hanging fruit' of days gone by, makes their applications less likely to be ripe for vulnerability picking. Conversely, smaller companies with myriad new products have arrived on the scene which do have easy pickings, and this has diluted the overall vulnerability pool.
I questioned Ollman about the figures, especially with regards to the relativity of the argument. After all, like most people I get the distinct feeling that the actual numbers of individual vulnerabilities applicable to the major vendors is on the up, not declining. This relative downturn thing is all a bit of a red herring is it not? Even if you do take those relative figures at face value, given the available resources the big players have available to them, surely 14.6% is way too high a figure anyway?
Here's what Gunter Ollman told DaniWeb "the largest vendors have been maturing their QA and testing processes to identify software vulnerabilities over the years, and this analysis supports the idea that this investment is working. However, the total volume of new products being released by all software vendors (including the top 10) has similarly been increasing. Which means that new "unexplored territory" is constantly being created for security researchers - e.g. Microsoft's Vista, Apples iPhone, Google's Maps, etc. Personally I think that there is still substantial room for improvement in the QA and testing processes used by the largest software vendors, and I expect further refinements as they evolve their strategies. However, I would also point out that too few non-top-10 vendors have been adopting the processes and lessons learned from the big vendors in securing their products. These smaller vendors are a soft spot for the security community and provide nearly all the low-hanging-fruit being disclosed (e.g. SQL Injection, file format vulnerabilities, etc.) I think it would be interesting for someone who has access to the revenue information for all the major software vendors to provide some level of comparison of number of annual vulnerabilities in their products vs. their global software revenue. That would probably shed more light on to the scale of positive work the largest vendors have undertaken to get their products more secure."
