Top-10 Vulnerable Vendors : 2007 : Frequency-X Blog : Blog : Home | ||
|
Top-10
Vulnerable Vendors At the beginning of this year X-Force introduced a new style annual security report – focusing on how threats developed and matured throughout the year – based upon statistical analysis of key data X-Force had accumulated. One of the debates we had internally was whether to present the “Top Ten Vulnerable Software Vendors” information because ISS’ new owners, IBM, were listed at 5th place. Thankfully, after a little wrangling (and some concerned, if not skeptical, looks from the marketing team) we managed to keep it in… which I’m rather glad about. Then again, if IBM had happened to have come in between 6th and 10th places, I’m pretty sure we’d have probably ended up with a Top-5 list instead of a Top-10. At the time I found it interesting that the top-10 vulnerable software vendors pretty much paralleled the top-10 software vendors (by revenue at least) – which isn’t particularly surprising when you think about it. If you look closely at the most popular (and prevalent) software, you’ll notice that they’re rammed with advanced (and some sceptics might even say ‘useful’) functions and features. And, from what I’ve empirically observed in the past, the more functions and features you pack in to a product, the greater the frequency software bugs and security related vulnerabilities appear. Add to that the fact that the major software vendors tend to produce the most popular products, it’s inevitable that they will always appear pretty high up the list – even with their ‘industry-leading’ QA & testing procedures. Annual Contributions When X-Force were compiling the report, one thing I neglected to do at the time was to examine how these Top-10 vendors contributed to the full years worth of security vulnerabilities. So, after enjoying the days of blistering 35 degree (95 Fahrenheit) sunshine high up in the French Alps last week, I took the opportunity one (cool) evening to look at the last 5 years worth of vulnerability data and figure out what proportion of annual vulnerability disclosures can be attributed to the Top-10. After a little Microsoft Excel data crunching, and some wizzie graphing magic, the following downward trend emerged – the Top-10 vulnerable vendors contribute a smaller fraction of all vulnerability disclosures per annum, decreasing from 20.2 percent to 14.6 percent over 5 years (see graph below).
There are a lot of reasons why I’d have expected to see this kind of decrease, but I think the biggest influencers are likely to be:
Top-10 Variance It’ll be interesting to see how 2007 pans out. A quick (non-authoritative) look at some of the vendors that typically appear within the Top-10 each year (it’s a dynamic list, with only five software groups appearing each year somewhere in the Top-10 since 2002 – Cisco, IBM, Microsoft, Sun and the Linux Kernel Organization) reveals that numbers are down slightly. That said, the first half of the year is typically the slowest for vulnerability disclosures – so we won’t really know until the end of the year. However, we can still cross our fingers and hope that any mid-year stats continue to follow the downward trend. |
|