According to IBM’s ISS (via eWeek), the number of publicly reported vulnerabilities dropped in 2007.
Pete Lindstrom cautiously (unusual for him) wonders if this means we’re over the hump.
I wanted to pick on Pete, but he was cautious enough in his wording that I don’t get to go all crazy and have too much fun at his expense. Here’s what I think is going on:
- More researchers sell vulnerabilities. There is a big market, and I’m not just talking about the Zero Day Initiative or other “public” programs. Both good guys and bad guys are quietly buying them up.
- Some researchers report vulnerabilities and don’t disclose them in public. I know at least a few who leave it up to the vendor to reveal any details.
- Some irresponsible researchers and bad guys just pass them around in the dark, never issuing a disclosure. I suspect a fair few of these make it into the light eventually.
- There is high risk to the researcher in disclosing web application vulnerabilities, since that’s effectively hacking someone’s site and is rarely, if ever, legitimate (or legal).
There is a lot of money involved in security research these days. Some of it good, some of it bad. Also, some researchers just don’t want to deal with the hassles and ugly tactics of certain vendors, while others don’t feel the need to disclose in public.
Overall, the landscape for reporting has changed in big ways over the past couple years, but I highly doubt the lower numbers are in any way related to an actual reduction in code vulnerabilities across the industry.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Vulnerabilities
Reader interactions
4 Replies to “Why Vulnerability Counts Are Down”
Pete,
Sorry I got wrapped up on something yesterday during the time I was planning to respond.
I don’‘t wish numbers would go higher, that’s just silly. What I wish is we get to the point where the numbers don’‘t matter anymore, and we’‘re almost there for two reasons. First, because fewer are making it into public using the reporting mechanisms we use to count the things in the first place. Second, because while I believe secure development is important, I’‘m coming to accept that anti-exploitation, not vulnerability elimination, is the future of security.
We’‘ll never get rid of all the vulnerabilities, no matter how good our development process, so we need to focus more on technologies that make exploiting those vulnerabilities less likely. E.g. ASLR, sandboxing, etc.
I still believe we need vulnerability research, but rather than focusing on the bug of the week, it would focus on class vulnerabilities and defensive mechanisms to defeat them. Researchers are also important to highlight risky products we should avoid.
To answer your questions more directly, if not wittily, I know software isn’‘t getting more secure except in a few discreet cases, mostly over at Microsoft. The researchers I talk with have no shortage of bugs to find, and with web applications we’‘re creating an entire new world of bugs. Vulnerability counts are down in many Microsoft products and in a few open source projects and other vendor products, but there are plenty of new sources to feed the well. They’‘re moving, not disappearing.
Vulnerabilities are being reported less but I don’‘t consider this a hole in our security program since I never thought we should rely on something as unreliable as public vuln reporting. I don’‘t really care if counts are going up or down, unless people are silly enough to believe that it translates to direct increases or decreases in risk.
Vulnerabilities aren’‘t going away anytime soon, so let’s stop worrying about counts and start putting in security controls that care less about how many bugs are out there. Let’s not pretend that making researchers stop looking for and reporting them will make any difference.
@boB –
I suspect you either didn’‘t read my post or you think you know more than you actually do (unless, of course, you can account first-hand for the small decrease in % of vulns found).
Are you suggesting that you don’‘t understand the points I was making?
Time for a Federal requirement to publicly register all vulnerabilities? Lots of pluses and minuses there, and it would only cover the corporations (since the malicious folks are unlikely to comply).
If @Pete really is Mr Lindstrom, then a more fundamental understanding of security is in order if you’‘re going to report and then ask those questions. Trend analysis is a big part of what we do and if you’‘re pegging at “10” and you suddenly drop to “5” – and haven’‘t done anything deliberate to make that happen – then it’s cause for concern. I’‘ve not seen anything that would suggest development practices have changed much (i.e. even Vista has had security holes right after public release and that was supposed to have gone through one of the most stringent security dev cycles there is). For reporting vulnerabilities, see my first statement. I think mandatory disclosure (like most states have for PII loss) is necessary (at the Federal level).
Bug finders have not lost interest, but the DMCA has scared quite a few (DMCA and how the courts have interpreted it is one of the examples of bad decisions on the part of the Fed). Rich’s #4 alluded to this. There are also a slew of products to look at and really smart malicious folks who can very accurately target vertical software components rather than blanket an operating system version (as was the case in the past).
Then, there’s the detection problem. (no time left, tho…)
So, *tons* of reasons for fewer, reported vulnerabilities.
Umm…I am happy to give you a chance to pick on me, but you have to let me know what I am supposed to say…
Should I suggest that it seems strange that IBM and now you are almost wishing or hoping that the numbers go higher, which is strage for a security professional?
Should I suggest that if, as you say, vulnerabilities are being reported less and less this highlights a huge hole in our security program?
Or, something else?
Btw, since you seem to discount the possibility that software is getting better (why is that?) note that it could also be that bugfinders have simply lost interest.
How’‘d I do? Feel free to have at me with your wittiest, most logical argument. 😉