Access Equals More Vulnerabilities
First Published: X-Force Monthly Magazine
A common question I’m asked by clients and at various security
conferences is why some software vendors have more vulnerabilities than
others – in particular, why the software developed by the biggest vendors
continually appears to be vulnerable to the latest attacks, while the small
niche vendors seem to be immune.
There are of course multiple aspects to the answer, any one of them a
significant factor in understanding why the statistics tend to back their
conclusion. However, one of the most significant aspects to
vulnerability discovery is accessibility.
While it sounds like a cliché, a high volume of security research is really
done in the colloquial bedroom. Experienced and upcoming security
professionals alike hone their skills by downloading the latest versions of
popular software onto their home or personal systems and spend long evenings
poking and prodding it, trying to uncover new vulnerabilities.
So why are the largest vendors suffering more from security vulnerabilities?
It’s most unlikely that they are more poorly coded than their smaller
competitors. Instead, it’s often because the software is so easy to acquire.
Every security researcher I know will just go to a vendor’s site and
download a trial/evaluation copy of the software, set it up on his/her test
system or laptop, and start digging for security flaws.
I’m sure that if the vendors understood this aspect of vulnerability
research, there would be more interesting conversations at the executive
board level. By making available trial versions of their software,
they are allowing potential buyers to evaluate the software and come to like
their solution – a highly valuable practice from a sales and marketing
perspective. However, the downside is that more security professionals
(and tinkerers) are going to be hunting for flaws, which is likely to affect
existing customers of the software and increasingly affect the company’s
Vendors that control access to trail downloads or implement a trial
activation license to use the software through a “contact our sales
representative on this phone number” type interaction tend to fare better
than those that allow carte-blanche downloading and execution, since they
can better qualify the type of individual or organization making the
request. Vendors that don’t allow any downloading whatsoever, and
instead use sales presentations and non-interactive demos, fare even better
– assuming that the cost of purchasing the actual software is more than a
few hundred dollars and it isn’t popularly pirated.
Of course, the bigger and better organized the research group is, the less
likely the cost of acquiring valid (non-trial) versions of the software is
going to prove a barrier to their vulnerability research.
The same rationale applies to those really big and costly,
business-critical, enterprise-level applications and infrastructure
platforms. Having a high installation cost along with a limited market
means that security researchers don’t have the opportunity to “play” with
the application and find new vulnerabilities. Things change when the
products become mainstream and evaluation versions become available – just
ask Oracle how things changed after their infamous “Unbreakable” product
marketing scheme caused security researchers to clamor for copies and prove
Having said all that, with many international businesses now recruiting for
their own internal security assessment and penetration testing teams, the
likelihood of next- generation professional security researchers having time
to uncover security flaws within these previously inaccessible enterprise
application platforms is increasing. Don’t be surprised if over the
next twelve months individual researchers start publishing high volumes of
vulnerabilities in previously “secure” applications and platforms such as
SAP, OS/400, Tivoli, Great Plains or even Blackberry. Let’s just hope
that these researchers follow responsible disclosure guidelines.