Why Surging Security Vulnerability Rate May Be a Good Thing
September 7, 2010 Alex Woodie
The number of security vulnerabilities discovered in the first six months of 2010 increased by 36 percent compared to 2009, according to IBM‘s X-Force security team, which recently released its Mid-Year Trend and Risk Report. More than half of these vulnerabilities–mostly problems with Web applications–were still unpatched as July began. That’s the bad news. The good news is that vulnerability disclosures are increasing, which means vendors are getting the transparency message.
The increase in vulnerability rates is a reversal from previous trends. In 2008 and 2009, IBM and Microsoft reported declining vulnerability rates. That seemed to indicate that vendors were getting a handle on their production processes, that technologies were maturing, and that the World Wide Web was becoming a safer place to browse.
But IBM X-Force seems to indicate that it’s not such a bad thing that that the vulnerability rate is going up. This may seem counterintuitive at first. After all, hackers and cyber-criminals are actively exploiting these vulnerabilities to steal fortunes from victims all over the world. Wouldn’t fewer vulnerabilities mean less opportunity for criminals?
The answer is, yes and no. Security professionals recognize that total security can never be achieved. Instead, one can only hope to contain the problem by implementing processes that seek to minimize the scope of the software problems and the attackable surface on which cyber-criminals feed. Without a huge breakthrough that suddenly allows programmers to write cleaner code with less effort (and that is definitely NOT happening with Web 2.0 technologies), one can assume that new flaws in software code will be introduced at a relatively constant rate.
Without a way to break this unavoidable baseline of new vulnerabilities, the best way to deal with the problem is to accelerate the remediation process, which involves getting vendors to publicly acknowledge they have a problem more quickly, and get their own developers and the open source community working on a solution.
This is what IBM says is happening, and that is a good thing. “This year’s X-Force report reveals that although threats are on the rise, the industry as a whole is getting much more vigilant about reporting vulnerabilities,” states Steve Robinson, general manager of IBM Security Solutions, in a press release. “This underscores the increased focus among our clients to continue looking for security solutions that help them better manage risk and ensure their IT infrastructure is secure by design.”