Feeds

Security flaws on the rise, questions remain

Flawed rationale

The Essential Guide to IT Transformation

Yet, while the data is significantly flawed, the original story told by US-CERT's list seems to be the right one. The number of vulnerabilities reported in 2005 increased, mainly due to researchers looking into the security of Web applications. The National Vulnerability Database noted the largest increase of 96 percent from 2004 to 2005, while the Symantec Vulnerability Database saw the smallest increase of 40 percent.

While publicly reported flaws jumped, that does not necessarily mean dire prospects for home users' or businesses' security, said David Ahmad, manager for development at Symantec's Security Response team.

"Web-based vulnerabilities are all over the place and they are really easy to find--they are the low-hanging fruit," Ahmad said." We have had high-profile vulnerabilities, but that is not what is driving this increase."

Finding those flaws does not require much skills, said Brian Martin, content manager for the OSVDB.

"We are seeing people discover vulnerabilities in software with tiny distribution and low installed base--free guestbooks that are written left and right, available by the thousands," he said. "And we are seeing that it takes no skill to find vulnerabilities in these applications."

Disparate data

The number of vulnerabilities entered into four major databases vary widely over the past five years, but seem to indicate that 2005 was a banner year for bugs.

  2005 2004 2003 2002 2001
CERT/CC 5,990 3,780 3,784 4,129 2,437
NVD 4,584 2,340 1,248 1,943 1,672
OSVDB 7,187 4,629 2,632 2,184 1,656
Symantec 3,766 2,691 2,676 2,604 1,472

Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database.

Yet, the entire focus should not be on the rash of Web application flaws, Mell said.

The computer scientist conducted an informal survey of entries for flaws in products from well-known companies and found that six of 14 software makers had seen a doubling in the number of vulnerability reports, while another four firms saw a decrease in the number of reports. The remaining four companies reported a similar number of flaws as the year before.

"I find it amazing that large and reputable software companies are seeing a large number more flaws this year (2005) than last year," Mell said.

The database managers also cautioned that the vulnerability counts for any particular year generally do not reflect the state of secure software development, only where the research community's interests lie.

"These numbers are showing the state of practice from a few years ago, rather than what the current state of practice is today," said Jeff Havrilla, team leader of vulnerability analysis at the CERT Coordination Center.

Making the issue more difficult, several software vendors move to release patches on a specific day has resulted in most security bulletins detailing multiple vulnerabilities, a situation that makes the true number of flaws harder to count, Havrilla said.

This article was originally published at SecurityFocus.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.