If you were to just take weekly media reports and monthly security researcher statistics as your metric, then I suspect it would be a safe bet to suggest that you would say software security vulnerabilities are on a steep upwards curve. Furthermore, it is just as likely that given the media exposure to such events as Microsoft Patch Tuesday and the furore when Adobe or Apple announce a hole has been discovered in a high profile product, you would say that things are only getting worse as far as the big software vendors are concerned.

The thing is, when you have statistical tunnel vision it becomes very difficult to see the bigger picture. But that panoramic view, surveying the software vulnerability landscape over the last five years, is just what Gunter Ollman, Director of Security Strategy at IBM Internet Security Systems has been looking at.

And he has come up with a, frankly, surprising conclusion that as far as the top ten software vendors contributing to vulnerability disclosure statistics are concerned, the trend is actually a downwards one. Using data collated by the IBM ISS X-Force security research labs, Ollmann was able to do the math and discover that despite there being a record growth in vulnerability disclosure during 2006, up 39.5% over 2005, the contribution by the top ten vendors has decreased from 20.2% to 14.6% during the last five years.

In his IBM ISS blog posting, Ollman quite rightly talks about major vendors producing the most popular products, packed with ever more features and functions. The more features you put into software, Ollman argues, the greater the frequency of software bugs and related vulnerabilities that appear. However, he goes on to suggest that improved QA and testing by these vendors, removing the 'low hanging fruit' of days gone by, makes their applications less likely to be ripe for vulnerability picking. Conversely, smaller companies with myriad new products have arrived on the scene which do have easy pickings, and this has diluted the overall vulnerability pool.

I questioned Ollman about the figures, especially with regards to the relativity of the argument. After all, like most people I get the distinct feeling that the actual numbers of individual vulnerabilities applicable to the major vendors is on the up, not declining. This relative downturn thing is all a bit of a red herring is it not? Even if you do take those relative figures at face value, given the available resources the big players have available to them, surely 14.6% is way too high a figure anyway?

Here's what Gunter Ollman told DaniWeb "the largest vendors have been maturing their QA and testing processes to identify software vulnerabilities over the years, and this analysis supports the idea that this investment is working. However, the total volume of new products being released by all software vendors (including the top 10) has similarly been increasing. Which means that new "unexplored territory" is constantly being created for security researchers - e.g. Microsoft's Vista, Apples iPhone, Google's Maps, etc. Personally I think that there is still substantial room for improvement in the QA and testing processes used by the largest software vendors, and I expect further refinements as they evolve their strategies. However, I would also point out that too few non-top-10 vendors have been adopting the processes and lessons learned from the big vendors in securing their products. These smaller vendors are a soft spot for the security community and provide nearly all the low-hanging-fruit being disclosed (e.g. SQL Injection, file format vulnerabilities, etc.) I think it would be interesting for someone who has access to the revenue information for all the major software vendors to provide some level of comparison of number of annual vulnerabilities in their products vs. their global software revenue. That would probably shed more light on to the scale of positive work the largest vendors have undertaken to get their products more secure."

About the Author

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Another factor was discussed at JavaLobby today. And that's overblown media reactions.
When 2 vulnerabilities were found in the Java runtime this month, the media went berserk over the massive increase in vulnerabilities in Java.
And indeed, the number had been 100% higher than over the previous 6 months, when a grand total of 1 problem had been discovered (and promptly fixed, just as these ones had been, in fact all had been fixed before any known exploits were out in the wild).

Of course anyone just reading that the incidence of security problems with a product has doubled over the space of a few months is going to be concerned, especially when they don't get to see the raw data about what numbers are involved (and what was done about them).

The same is no doubt true everywhere. And indeed with the increased efforts by software makers, it should come to no surprise to anyone that they find and fix more problems than in the past (problems which in the past would possibly have gone unnoticed forever until silently removed in the next release of the product instead of in a "security update").