In the first three parts of this series (part 1, part 2, part 3), Tim Rains explored some of the ways that the threat landscape (with a focus on malware) has evolved over the past decade and introduced a new special edition Microsoft Security Intelligence Report (SIR) called “The evolution of malware and the threat landscape – a ten year review.” In next couple of parts, I will look at industry vulnerability disclosures over the past ten years, sharing some of the information published in the special edition SIR – and then (in part 5) supplementing that with some vendor data that has only been presented in our RSA breakout session earlier in the month.
Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of that software or the data it processes. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run arbitrary code without the user’s knowledge.
The past ten years represent a very interesting timeframe for looking at vulnerability disclosures and the ensuing changes that continue to impact risk management in information technology (IT) departments around the world. Before digging into the charts and trends, let’s briefly review the past decade related to industry vulnerabilities.
A Decade of Maturation
Back in 2002, Mitre presented A Progress Report on the CVE Initiative, giving an update on the multi-year effort to create a consistent and common set of vulnerability information – with a particular focus on unique naming – to enable the industry to easier assess, manage, and fix vulnerabilities and exposures. The CVE effort and data was later leveraged as the core of the National Institute of Standards (NIST) National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data used as the primary vulnerability index for industry vulnerabalities in the Security Intelligence Report.
Around this same time, two vendors took prominent action with respect to their approach to software vulnerabilities and risk. In January 2002, Microsoft called upon employees across the company to fundamentally rethink their approach to product development and strive to deliver products that are “as available, reliable and secure as standard services such as electricity, water services and telephony.” In contrast, Oracle launched a marketing campaign declaring their database “unbreakable.”
2002 also marked the beginning of a commercial market for vulnerabilities with iDefense who started their vulnerability contributor program, which paid finders for vulnerability information.
In 2003, the National Infrastructure Advisory Council commissioned a project “to propose an open and universal vulnerability scoring system to address and solve these shortcomings, with the ultimate goal of promoting a common understanding of vulnerabilities and their impact.” This project resulted in a report recommending the adoption of the Common Vulnerability and Scoring System (CVSSv1) in late 2004. Vulnerability severity (“scoring”) information was a big step forward in enabling IT professionals, providing a common standard method for rating vulnerabilities across the industry in a vendor-neutral manner.
In 2005, TippingPoint launched a similar program to iDefense, which prompted what some called a “price war” for vulnerability bounties. While iDefense and TippingPoint vulnerability purchase programs embody a professional disclosure process that works with vendors to manage risk, the short-lived WabiSabiLabi was dubbed “eBay for Hackers” when launched in 2007 to much press coverage and industry discussion, but ultimately couldn’t support itself and closed down in 2008.
2007 also brought an update to CVSS, with changes that addressed issues identified by the practical application of CVSS since its inception. In our Security Intelligence Report covering the second half of 2007, we provided vulnerability trends using both CVSSv1 and CVSSv2 and have sense used CVSSv2 ratings. As we noted at the time, one practical effect of the new ratings formulas was a much higher percentage of vulnerabilities were rated High or Medium severity.
Industry-Wide Vulnerability Disclosures
A disclosure, as I use the term, is the revelation of a software vulnerability to the public at large. It does not refer to any type of private disclosure or disclosure to a limited number of people. Disclosures can come from a variety of sources, including the software vendor, security software vendors, independent security researchers, and even malware creators.
Much of my data is compiled from vulnerability disclosure data that is published in the National Vulnerability Database (NVD), the U.S. government repository of standards-based vulnerability management. It represents all disclosures that have a CVE (Common Vulnerabilities and Exposures) number. Disclosure dates are compiled and calculated separately from public sources into my own database. [Note that in these charts, I mapped the year that the CVE was published in the NVD, not the year when it was disclosed. I only mention this because I normally chart vulnerabilities in the SIR by disclosure date, so some might notice a difference.]
Ten years have seen a drastic grown in new vulnerability disclosures peaking in 2006 and 2007, followed by a relatively steady decline over the past four years to just over 4000 in 2011, which is still a large number of vulnerabilities.
Vulnerability disclosures across the industry in 2011 were down 11.8% from 2010. This decline continues an overall trend of moderate declines. Vulnerability disclosures have declined a total of 37% since the high in 2006.
The Common Vulnerability Scoring System (CVSS) is a standardized, platform-independent scoring system for rating IT vulnerabilities. The CVSS assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. (See Vulnerability Severity at the Security Intelligence Report website for more information.)
The overall vulnerability severity trend has been a positive one. Medium and High severity vulnerabilities have steadily decreased since their high points in 2006 and 2007. Even as fewer vulnerabilities are being disclosed overall, the number of Low severity vulnerabilities being disclosed has been relatively flat. Low severity vulnerabilities accounted for roughly 8 percent of all vulnerabilities disclosed in 2011.
Stay Tuned for More…
At a high level, this paints a good picture of how the industry had changed over the past ten years and how the volume of vulnerability disclosures has grown, peaked and then pulled back some, though the number of vulnerabilities disclosed per year is still very high.
Stay tuned for some drilldown on the data. In part 5 next week, I will analyze the vulnerability disclosures by vendor and then break the vulnerabilities down by operating system and applications to see how shifts in the software industry over ten years are reflected back into the industry vulnerabilities found and disclosed.
Best regards, Jeff