A common question I’m asked by clients and at various security conferences is why some software vendors have more vulnerabilities than others – in particular, why the software developed by the biggest vendors continually appears to be vulnerable to the latest attacks, while the small niche vendors seem to be immune.
 
There are of course multiple aspects to the answer, any one of them a significant factor in understanding why the statistics tend to back their conclusion.  However, one of the most significant aspects to vulnerability discovery is accessibility.
 
While it sounds like a cliché, a high volume of security research is really done in the colloquial bedroom.  Experienced and upcoming security professionals alike hone their skills by downloading the latest versions of popular software onto their home or personal systems and spend long evenings poking and prodding it, trying to uncover new vulnerabilities.
 
So why are the largest vendors suffering more from security vulnerabilities?  It’s most unlikely that they are more poorly coded than their smaller competitors. Instead, it’s often because the software is so easy to acquire.  Every security researcher I know will just go to a vendor’s site and download a trial/evaluation copy of the software, set it up on his/her test system or laptop, and start digging for security flaws.
 
I’m sure that if the vendors understood this aspect of vulnerability research, there would be more interesting conversations at the executive board level.  By making available trial versions of their software, they are allowing potential buyers to evaluate the software and come to like their solution – a highly valuable practice from a sales and marketing perspective.  However, the downside is that more security professionals (and tinkerers) are going to be hunting for flaws, which is likely to affect existing customers of the software and increasingly affect the company’s share price.
 
Vendors that control access to trail downloads or implement a trial activation license to use the software through a “contact our sales representative on this phone number” type interaction tend to fare better than those that allow carte-blanche downloading and execution, since they can better qualify the type of individual or organization making the request.  Vendors that don’t allow any downloading whatsoever, and instead use sales presentations and non-interactive demos, fare even better – assuming that the cost of purchasing the actual software is more than a few hundred dollars and it isn’t popularly pirated.
 
Of course, the bigger and better organized the research group is, the less likely the cost of acquiring valid (non-trial) versions of the software is going to prove a barrier to their vulnerability research.
 
The same rationale applies to those really big and costly, business-critical, enterprise-level applications and infrastructure platforms.  Having a high installation cost along with a limited market means that security researchers don’t have the opportunity to “play” with the application and find new vulnerabilities.  Things change when the products become mainstream and evaluation versions become available – just ask Oracle how things changed after their infamous “Unbreakable” product marketing scheme caused security researchers to clamor for copies and prove them wrong.
 
Having said all that, with many international businesses now recruiting for their own internal security assessment and penetration testing teams, the likelihood of next- generation professional security researchers having time to uncover security flaws within these previously inaccessible enterprise application platforms is increasing.  Don’t be surprised if over the next twelve months individual researchers start publishing high volumes of vulnerabilities in previously “secure” applications and platforms such as SAP, OS/400, Tivoli, Great Plains or even Blackberry.  Let’s just hope that these researchers follow responsible disclosure guidelines.