Can you believe that Apple has disclosed more security vulnerabilities than anyone else?
Check out this article:
http://www.infoworld.com/article/08/08/06/Apple_gets_bruised_in_vulnerability_report_1.html
Apple has taken the place of Microsoft for disclosing more vulnerabilities than any other vendor, according to an IBM security report.
"The company rose from second place in 2007 to take the top spot away from Microsoft, which had fallen into third place behind open source content management system Joomla."
For the most part, I've actually become numb to the number of vulnerabilities / updates released each month. To me, it comes down to the predictability of patches and the reliability of the patches released. My hope has been that when we started the monthly patch release cycle that we would actually get to the point where we would not have to release patches every single month. I agree that as long as we have vulnerabilities we need to be patching them, but why can't we eventually get to the point where we aren't finding vulnerabilities that often? OK, so I accept that patches are here to stay, and the fact that Apple has topped this vulnerability report is really not a big surprise since their install base is growing, and more people are seeing it as a more viable platform to attack.
Microsoft still tops the list when it comes to the number of exploits released. Exploits are the malicious pieces of software that take advantage of the vulnerabilities; but we are dropping on the list of the number new vulnerabilities being identified. To me, this is encouraging. I have always felt that security is not only a race of speed, but one of endurance as well. We must to be quick to respond to vulnerabilities, but we must also make long term commitments to addressing vulnerabilities going forward. We have focused on both needs. We have a global 24x7 team that is responsible for tracking and validating any potential vulnerabilities identified. This is the team that is also responsible for providing guidance to our user community. I could spend volumes talking about this group, but the Microsoft Security Response Center www.microsoft.com/msrc is the place to go for the low down on what this team does, as well as the latest information on any items we are watching.
Personally, I had hoped our vulnerability count would have dropped years ago, but we have been consistent in quickly addressing the vulnerabilities as they've been identified. We have one of the lowest times to resolutions for vulnerabilities. I believe that the time to resolution is a bigger factor than the number of vulnerabilities. The "time to resolution" tracks the length of time between a reported vulnerability and the remediation of that vulnerability.
To me, the IBM report reinforces the fact that vulnerabilities will exist in software for a long time to come; and the leaders in the number of vulnerabilities will shift between various vendors. Vulnerabilities are not a vendor specific issue, they are an industry issue, so let's keep focus on the bigger issue here. It's not if there will be vulnerabilities and patches, but how many vulnerabilities, and how long it will take to resolve the vulnerabilities. Please consider the following as you evaluate new software within your infrastructure:
A) How long does it take for the vendor to provide a remediation to the vulnerability
B) What type of infrastructure is available to assist in the deployment of these patches
C) how long does it take you and your team to test and deploy these patches.
People used to take the approach of using less popular software because there were not as many exploits being coded, but people are coding exploits for all platforms now, so it's not that easy to hide behind that idea anymore.
I hope this has helped provide a glimpse into how vulnerabilities are being tracked and reported, and how it is changing the behavior of the industry. Please also consider this information as you evaluate new solutions for your infrastructure. When you purchase a new solution, usually there is not a track record of how that specific solution has been managed over its lifecycle, but you can look at how the vender has historically managed their update and deployment process.
Until next time!
Rob