5 Signs Enterprise Software Security Is Improving12:00 PM EST Wed. Apr. 03, 2013
IBM is documenting up to 150 vulnerability disclosures a week. Many of them are Web application flaws. Its vulnerability database has 70,000 unique vulnerabilities and has averaged 7,700 vulnerabilities per year over the past five years. But, vulnerability disclosure figures alone don't typically tell the whole picture. There are signs that software security processes at major software vendors are maturing. Product incident response teams are addressing coding errors more quickly than ever before, and their processes are constantly being refined, IBM said in its latest X-Force Trend and Risk Report.
Since 2008 overall vulnerability disclosures by major enterprise software vendors has been steadily increasing, according to IBM. The trend saw a decline in 2012, when the percentage of vulnerabilities disclosed by these companies decreased by 26 percent, the company said. It's unclear if it is a one-time occurrence or if more mature, secure software development practices are contributing to the decline, according to Leslie Horacek, the IBM ISS product manager who authored the report.
IBM said a decline in exploits targeting Adobe Acrobat and Reader vulnerabilities could be attributed to the sandbox capabilities in Adobe Acrobat Reader X. Sandboxing technology makes it more difficult for cybercriminals to use Adobe software flaws to gain access to systems by preventing malicious code from accessing critical system processes. Microsoft has also been increasingly building in defensive mechanisms, making it more difficult and costly for malware writers to target document vulnerabilities. In addition to exploiting a vulnerability, a malware writer needs to write code to bypass the added defenses, IBM said.
The Web browser is consistently one of the paths of least resistance for attackers to gain access to a company's critical systems and files. Both Google Chrome and Mozilla Firefox added automated patching features in their browsers and have been applying security updates across their user base much faster than in years past. IBM said the overall number of Web browser vulnerabilities fell 6 percent from 2011. Even with critical browser flaws increasing nearly 60 percent in 2012, attackers find it easier to target browser components frequently plagued with Web application vulnerabilities, IBM said.
A review of the top 10 enterprise-level software vendors found a vulnerability remediation rate of 94 percent, according to IBM. Three of the top 10 had a 100-percent remediation rate, the company said. IBM points to maturing secure development processes and product incident response teams as the sole factor in addressing vulnerabilities quickly and systematically. Now the bad news: unpatched vulnerabilities increased for the first time since 2008. A major factor to the increase could be low-severity coding errors in "small web applications, and obscure software written by individuals or tiny companies," IBM said.
Software security experts point to businesses' interest in finding ways to improve software security by getting it addressed earlier in the development cycle. A number of frameworks and models exist including the Microsoft Software Development Lifecycle, the Building Security in Maturity Model as well as the NIST software security assurance tool for developers. Better patch management also contributes to reducing the risk of a successful attack.