Volume 10, Number 31 -- September 7, 2010

Why Surging Security Vulnerability Rate May Be a Good Thing

Published: September 7, 2010

by Alex Woodie

The number of security vulnerabilities discovered in the first six months of 2010 increased by 36 percent compared to 2009, according to IBM's X-Force security team, which recently released its Mid-Year Trend and Risk Report. More than half of these vulnerabilities--mostly problems with Web applications--were still unpatched as July began. That's the bad news. The good news is that vulnerability disclosures are increasing, which means vendors are getting the transparency message.

The X-Force Research and Development team documented 4,396 new vulnerabilities in the first half of 2010, and 55 percent of these vulnerabilities had no vendor-supplied patch at the end of the period, the X-Force says. The complexity of Web apps developed with JavaScript, the darling of Web 2.0, continues to be a big problem, as is Adobe's Portable Document Format. Cloud computing and virtualization products are just starting to pop up on the long-range X-Force radar.

The increase in vulnerability rates is a reversal from previous trends. In 2008 and 2009, IBM and Microsoft reported declining vulnerability rates. That seemed to indicate that vendors were getting a handle on their production processes, that technologies were maturing, and that the World Wide Web was becoming a safer place to browse.

But IBM X-Force seems to indicate that it's not such a bad thing that that the vulnerability rate is going up. This may seem counterintuitive at first. After all, hackers and cyber-criminals are actively exploiting these vulnerabilities to steal fortunes from victims all over the world. Wouldn't fewer vulnerabilities mean less opportunity for criminals?

The answer is, yes and no. Security professionals recognize that total security can never be achieved. Instead, one can only hope to contain the problem by implementing processes that seek to minimize the scope of the software problems and the attackable surface on which cyber-criminals feed. Without a huge breakthrough that suddenly allows programmers to write cleaner code with less effort (and that is definitely NOT happening with Web 2.0 technologies), one can assume that new flaws in software code will be introduced at a relatively constant rate.

Without a way to break this unavoidable baseline of new vulnerabilities, the best way to deal with the problem is to accelerate the remediation process, which involves getting vendors to publicly acknowledge they have a problem more quickly, and get their own developers and the open source community working on a solution.

This is what IBM says is happening, and that is a good thing. "This year's X-Force report reveals that although threats are on the rise, the industry as a whole is getting much more vigilant about reporting vulnerabilities," states Steve Robinson, general manager of IBM Security Solutions, in a press release. "This underscores the increased focus among our clients to continue looking for security solutions that help them better manage risk and ensure their IT infrastructure is secure by design."


Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities

Web Site Vulnerabilities Continue Unabated, IBM X-Force Says

Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

Save 50% or more on key productivity tools.

Load up on software that will save you a bundle
without blowing your budget.

Buy products like RPG2SQL Integrator and
our Spool File Management solution for half price or less.

Also take 50% off a host of other report delivery and data integration products.

Visit our website
or call us at 1-888-RJS-SOFT to learn more.

Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

PowerTech:  FREE Webinar! Protect IBM i Data from FTP, ODBC, & Remote Command. Sept 15, 10 am CT
looksoftware:  RPG OA & Beyond Webinar. Sept 28 & 29. Enter to win an Amazon Kindle™
COMMON:  Join us at the Fall 2010 Conference & Expo, Oct. 4 - 6, in San Antonio, Texas


IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95

The Four Hundred
Entry IBM i Server Deals Greased With License Discounts

Prices Jacked on Power Systems Tape Drives and Expansion Drawers

The Server Racket Strengthens in Q2, But Will It Hold?

Mad Dog 21/21: Craft Nouveau

IDC Raises Global IT Spending Projections for 2010

Four Hundred Guru
An Introduction to Python on IBM i, Part 1

DB2 for i: Process Stored Procedure Result Sets as Cursors

Admin Alert: One Year Out--Preparing for Your Next Power IBM i Upgrade

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
September 4, 2010: Volume 12, Number 36

August 28, 2010: Volume 12, Number 35

August 21, 2010: Volume 12, Number 34

August 14, 2010: Volume 12, Number 33

August 7, 2010: Volume 12, Number 32

July 31, 2010: Volume 12, Number 31

TPM at The Register
Semi biz starts to cool off

HyTrust takes auditing, monitoring to the clouds

MokaFive outs bare-metal PC hypervisor

Cray and SGI push upgrades to latest supers

Gartner chops PC shipment forecasts for 2010

SGI bleeds less than expected

Xsigo rejiggers virtual I/O director for Ethernet

Big Blue finally punts an Opteron 6100 server

Project Horizon: VMware's plan to restitch the desktop

Retired joint chiefs chairman dons a Red Hat

Citrix eats VMLogix for self-service clouds

Voltaire chases cloudy server networks


ProData Computer Services
RJS Software Systems

Printer Friendly Version

MKS Offers Full Support for IBM i 7.1 in ALM Tool

Vanguard Adds Graphical Workflow Features to IBM i Imaging Solution

Valid and TGS Gang Up on Buddy Punchers

Quantum Adds Fibre Channel to Midrange De-dupe Boxes

CCSS Cracks Down on IBM i Jobs with Excessive I/O

News Briefs and Product Shorts:

PowerTech to Overhaul Free IBM i Security Policy Template . . . Wavelink Finds Another Use for Smartphones . . . BackOffice Unveils Cloud-Based Data Migration Tool . . . IBM Moves Rational Cafes to New Website . . . Why Surging Security Vulnerability Rate May Be a Good Thing . . .

Four Hundred Stuff


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2010 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement