Risk // Compliance
01:04 AM

Lessons Learned From A Decade Of Vulnerabilities

A pair of reports look at the trends in vulnerability disclosure over a decade or more. Here are four lessons from the data on more than 50,000 flaws

In 2012, the number of publicly reported software vulnerabilities jumped by 26 percent, the biggest increase in security issues in five years.

Bad news? Not necessarily. While the past decade of vulnerability disclosures saw the reversal of a five-year decline, it also marked a reduction in the number of easily exploitable, critical severity flaws. Two reports -- one released earlier this month and another scheduled for release next week -- analyzed the trends over the past decade or more and noted both positive and negative trends in software security.

The reports highlight the fact that vulnerabilities will not go away and that companies must find ways to minimize their impacts, says Stefan Frei, research director of NSS Labs, a security consultancy.

"Vulnerabilities are here to stay," he said. "I don't think that in five years time we will have eliminated vulnerabilities from any software product."

In its report released in early February, NSS Labs analyzed almost 54,000 vulnerabilities in nearly 21,000 software products using data from the National Vulnerability Database (NVD). Next week, network-security firm Sourcefire plans to release its own analysis spanning more than two decades of software flaws.

Both reports find that the number of publicly reported software vulnerabilities peaked in 2006, and then declined during the next five years. In 2012, however, the tally of software flaws jumped -- by more than a quarter, according to NSSLabs' analysis.

Here are four lessons from the data, according to the experts who crunched the numbers.

1. Focus on security reduces exploitability, severity.
First the good news: Easily exploitable, critical severity vulnerabilities are increasingly uncommon.

In 2012, less than half of all vulnerabilities were easily exploitable, down from approximately 95 percent in 2000. In addition, fewer high severity flaws were found: The number of vulnerabilities with a score on the Common Vulnerability Scoring System (CVSS) of 7.0 or higher dropped to 34 percent of reported issues in 2012, down from a high of 51 percent in 2008.

The numbers indicate "a clear -- but slowing -- trend towards an increase in attack complexity," Frei stated in the NSS Labs' report.

2. Still more than enough flaws.
While there are thousands of software vulnerabilities out there, opportunistic attackers tend to exploit only a dozen or two in any single year -- typically those exploits baked into cybercriminal toolkits.

Unfortunately, there are more than enough highly critical flaws to go around. In 2012, more than 9 percent of the publicly reported vulnerabilities had both a CVSS score of 9.9 and a low attack complexity, according to NSS Labs' analysis. Adobe, Mozilla, and Oracle -- the company that supports Java -- are the developers with the most easy-to-exploit vulnerabilities, accounting for almost half of the high-severity issues.

"You take all these thousands of vulnerabilities, and maybe only a dozen are being regularly exploited," says Zulfikar Ramzan, chief scientist at Sourcefire.

Companies should focus on fixing or mitigating the vulnerabilities that are included in exploit kits, he says.

3. New developers, new technology are fertile fields.
New technologies have always posed as potential fodder for vulnerability research; as a constant incubator of new technologies and frameworks, the Web is a steady source of software vulnerabilities, says Jacob West, chief technology officer of Hewlett-Packard's Enterprise Security Products group, which plans to release its own vulnerability analysis at the coming RSA Conference.

In the past decade, four of the top six vulnerabilities were Web-based software issues, he says. Today, more than half of Web sites are vulnerable to cross-site scripting issues.

[While zero-day attacks -- targeting previously unknown and unpatched vulnerabilities -- are a wide concern, companies need to test their security against known vulnerabilities as well. See More Exploits For Sale Means Better Security.]

"Enterprise applications are on a slower life cycle -- they are slower to patch," West says. "The other side of that coin, however, is that something like the Web, with an agile life cycle, can be updated faster, but may be more likely to have security holes introduced."

Other technologies that have yet to have mature, secure development life cycles are mobile applications and industrial control systems, he says.

4. Private markets competing for disclosure.
The decline in highly critical vulnerabilities may not necessarily be good news. HP and NSS Labs both theorize that security intelligence startups created by vulnerability researchers as well as other channels for private sales have culled some of the best vulnerabilities from being publicly disclosed.

"There is a bigger markup for critical vulnerabilities than there use to be," HP's West says. "There are black markets; there are private sources. So we think a lot of those high criticality vulnerabilities are being siphoned off."

The number of high severity vulnerabilities sold through the two most popular white-market programs, HP TippingPoint's Zero Day Initiative and iDefense's Vulnerability Contributor Program, peaked in 2011 at 18 percent, and fell last year to 6.3 percent. Since 2005, the programs have disclosed an average of 7 percent of high-severity issues.

The trend "correlates with reports of the vulnerability and exploit market rapidly expanding in 2012," the NSS Labs' report states. "These changes in the security industry likely affect the share of established programs and could change the dynamics of the vulnerability handling processes in the future."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.