Gunter Ollmann (now of IOActive) offers a very interesting analysis of why vulnerability disclosures don’t really matter any more.
But I digress. The crux of the matter as to why annual vulnerability statistics don’t matter and will continue to matter less in a practical sense as times goes by is because they only reflect ‘Disclosures’. In essence, for a vulnerability to be counted (and attribution applied) it must be publicly disclosed, and more people are finding it advantageous to not do that.
This is a good point. With an increasingly robust market for weaponized exploits, it’s very unwise to assume that the number of discovered software vulnerabilities bears any resemblance to the number of reported vulnerabilities. Especially given how much more attack surface we expose than the traditional operating system. But Gunter isn’t done yet.
With today’s ubiquitous cloud-based services – you don’t own the software and you don’t have any capability (or right) to patch the software. Whether it’s Twitter, Salesforce.com, Dropbox, Google Docs, or LinkedIn, etc. your data and intellectual property is in the custodial care of a third-party who doesn’t need to publicly disclose the nature (full or otherwise) of vulnerabilities lying within their backend systems – in fact most would argue that it’s in their best interest to not make any kind of disclosure (ever!).
Oh man, Gunter is opening up the cloudy Pandora’s Box. With the advent of SaaS, these vulnerabilities won’t be disclosed. Unless it’s a hacktivist exploiting the vulnerability, you won’t hear about the exploit either. The data will be lost and the breach will happen. There is nothing for you to patch, nothing for enterprises to control, nothing but cleaning up the mess when these SaaS providers inevitably suffer data losses. We haven’t seen a major SaaS breach yet. But we have all been around way too long to believe that can last.
A lot of food for thought here.
Photo credit: “Funeral Procession in Crossgar” originally uploaded by Burns Library, Boston College