5:55 PM -- I've often thought there are only a handful of people doing most of the security research that is being published. Last week that seemed to be the case. PDF reader is a ubiquitous plugin on most people's computers. It has such a high user rate that it is often incorporated into the operating system upon arrival. Unfortunately for users of Firefox, PDF reader suffered a huge blow a few weeks ago when Stefano Di Paola and Giorgio Fedon disclosed a cross site scripting vulnerability at the Chaos Computer Club in Germany. (See When Your PDF Reader Turns on You.)
At first it was a low rumble with only a few people taking note of the flaw, which at that time would make any Website that hosted a PDF file vulnerable to a XSS attack. Then the security community picked up on it and it became explosive. Adding insult to injury, I then found a location on the local drive that using a vulnerability in QTL files can be exploited to allow an attacker local-read access to the computer in question.
Antivirus companies, anti-spyware companies, browser companies, network security companies, and in-house Web development staff all have a role to play in fixing these issues, but the braintrust is limited. According to Jeremiah Grossman there are approximately 6,675 Web application security professionals needed to complete PCI compliance alone, while there are in actuality only hundreds to low thousands who are qualified to do source-code auditing. Only a small handful of those are actually doing research.
That means for every new developer entering the workforce there is even less security braintrust per line of code written because all the available Web application security engineers are being paid to get companies into compliance. And that means more and more buggy code will make it to production and there will be more severe vulnerabilities.
Things just aren't scalable right now. Demand has currently overwhelmed the supply of talented Web application security experts. I too have been tapped to help with compliance contracting, drawing yet one more researcher away. Unfortunately, research doesn't pay the bills quite like a company that's about to get fined by Visa for failing compliance.