One of the most significant security problems enterprises face are software vulnerabilities, which often allow hackers direct system access. Though data from the last three years shows software vulnerabilities are not trending up, it shows they are not trending down either.
This article was originally published by Info-Tech Research Group. Copyright (c) 1998-2008 Info-Tech Research Group. All rights reserved. Reprinted by permission.
When criminals hack their way into the enterprise it is generally through a software vulnerability. Likewise when data is stolen from portals or Web sites, vulnerabilities are often to blame. Recent studies show that the problem is not getting better.
Vulnerability Trends Not All Bad, but Not All Good Either
While by no means as common a threat as malware, software vulnerabilities are still a significant threat for enterprises. It is these weaknesses in application and operating system code that allow hackers access to systems and data. Figure 1 shows a significant amount of vulnerability information including overall vulnerability count and severity. It also details the average window of exposure—the time difference between vulnerability discovery and commensurate patch release.
Figure 1. Vulnerability Trends for 2005 through 2007 Inclusive
Source: Info-Tech Research Group, derived from data published by Symantec
Vulnerabilities were essentially stable in count for 2005, grew somewhat rapidly in 2006 and then went into a slight recession in 2007. While vulnerability count was generally trending upwards slightly, severity moved in the opposite direction—nearly 50% of vulnerabilities were classed as high severity in 2005 but that number has dropped to less than 10% since. An increased commitment to security in Software Development Life Cycle (SDLC) principles is likely responsible for this shift. The timing is in line with the release of products from major vendors that have made this process core to their operations.
Of particular concern is window of exposure. Though the value trended down for the first three periods, it climbed rapidly through the end of 2006, spiking in early 2007 before declining again at the end of the year. Though the window essentially returned to where it started, it is not in steady recession. This implies that software vendors are either focusing fewer resources on correcting problems or that newer vulnerabilities are harder to correct. When the primary message on how to protect software is "patch religiously," a month and a half window of exposure limits the value of the message.