Posted by Gunter Ollmann
on February 11, 2008 at 12:04 PM EST.
Last week a
taster was provided as to the slight dip in new
vulnerability disclosure rates for 2007. There have been
several citations of the data after some of the security
news blogs picked it up - along with some short external
analysis pieces.
I found it interesting that several reporters
hypothesized that it was due to the selling of
vulnerabilities. I don't think so - at least not
directly, and not in the way that they think.
In addition, based upon some of the comments I
observed, a few people didn’t really understand that
X-Force were talking about the rate of increase. That is
to say there were around six and a half thousand brand
new – never seen before – vulnerabilities added to the
tens of thousands that businesses already have to
protect themselves against. In that context, a 5.4
percent decrease can hardly deliver much good news – but
I suppose it's better than an increase.
I guess the question for many people is “why the
decrease?”
Here are my thoughts on what has probably influenced
this marginal decrease in the rate of public disclosures
(in order of influence value):
- Decreasing Appeal – by that I
mean, the disclosure numbers have become so large
that finding a vulnerability has much less impact
nowadays. Just a couple of years ago, there was
still a lot of kudos associated with being able to
say that you had discovered dozens of
vulnerabilities. That street-cred has diminished of
late largely due to the high volume of fuzzer-found
vulnerabilities by what many would call
script-kiddies and the “statistical insignificance”
of many finds.
Don’t get me wrong, there are still a lot of
professional (and would-be-professional) bug-hunters
seeking out new vulnerabilities. However, to
differentiate themselves from the fuzzing
script-kiddies there’s been an increased emphasis on
only really pursuing high-impact vulnerabilities –
i.e. bugs that will stand out amongst the
statistical hordes. This is probably an influence on
the percentage increase in high-impact vulnerability
disclosures in 2007.
- Vendor Improvements – in the
way they test and QA new product releases have
matured. Sure, this year’s top-10 vulnerable vendors
probably looks much like any previous year, but most
have been improving how they test the security of
their products. It can be a little difficult to see
because the major vendors are constantly releasing
new software. If you take a look at the volume of
products they supported throughout 2007 (both new
products released in 2007 and previous years
“current” product portfolios), you’ll probably
notice that each had more software than ever before.
However, the vast majority of software isn’t
produced by the top-10 vendors – so John Doe’s
auto-search PHP-scripted portal is unlikely to have
been caught up in the “test the security before you
ship it” movement.
- Professional bug-hunters – have
increasingly achieved what they sought – i.e. to get
noticed, and be paid by the vulnerable vendors
themselves. I know literally hundreds of
reverse-engineers and researchers that have great
track records for finding vulnerabilities. Just
about all of them are now employed as full-time
security consultants – selling their skills to the
vendors of the software they used to publicly
disclose vulnerabilities in.
Just about all of them drove the “revolution” in
security testing and QA back in 2004/2005, and now
contract their skills to the vendors – driving the
improvements from within. I guess a regular salary
beats a few disclosures on Bugtraq.
Now don’t conclude that these professional
bug-hunters aren’t still finding new vulnerabilities
outside their vendor contracts. They still are.
However, the volume of new discoveries is less – due
to a mix of finding the time necessary to do the
research, and only really pursing the juicy
high-impact vulnerabilities that would improve their
reputation (and consequently their consulting
rates).
- Vulnerability purchase programs
– have helped weed out a lot of the “lame”
vulnerabilities and add an additional step (and time
delay) to the vulnerability disclosure process. I
think that many of the would-be-professional
bug-hunters have found that, in order to earn money
from their bugs, they have to do more work than just
saying “if I do this, the application causes a stack
overflow”.
To sell their vulnerability, they have to prepare
more information about their “security” flaw – all
this takes time and effort. In addition, by going
through this information gathering process, it
becomes easier to uncover the exploit impact of the
vulnerability – which probably causes more than a
few would-be-professionals to go to the additional
effort of proving that their “DoS” discovery could
really be a reliable remote-access vulnerability
(i.e. worth more money).
Obviously we’ll all be watching how vulnerability
disclosures pan-out in 2008. I’m sure we’d all like to
see the disclosure rate to continue to drop. However,
there are a lot of dynamics to the vulnerability
disclosure business and year-on-year rates have done
unexpected things before.
Since so much of bug hunting is now tool-based using
automated fuzzers, any substantial improvement in tool
quality during 2008 could cause the total number of
disclosures to sky rocket.