Top-10 Vulnerable Vendors
Posted by Gunter Ollmann on July 24, 2007 at 1:04 PM EDT .

At the beginning of this year X-Force introduced a new style annual security report – focusing on how threats developed and matured throughout the year – based upon statistical analysis of key data X-Force had accumulated.

One of the debates we had internally was whether to present the “Top Ten Vulnerable Software Vendors” information because ISS’ new owners, IBM, were listed at 5th place.  Thankfully, after a little wrangling (and some concerned, if not skeptical, looks from the marketing team) we managed to keep it in… which I’m rather glad about.  Then again, if IBM had happened to have come in between 6th and 10th places, I’m pretty sure we’d have probably ended up with a Top-5 list instead of a Top-10.

At the time I found it interesting that the top-10 vulnerable software vendors pretty much paralleled the top-10 software vendors (by revenue at least) – which isn’t particularly surprising when you think about it. 

If you look closely at the most popular (and prevalent) software, you’ll notice that they’re rammed with advanced (and some sceptics might even say ‘useful’) functions and features.  And, from what I’ve empirically observed in the past, the more functions and features you pack in to a product, the greater the frequency software bugs and security related vulnerabilities appear.  Add to that the fact that the major software vendors tend to produce the most popular products, it’s inevitable that they will always appear pretty high up the list – even with their ‘industry-leading’ QA & testing procedures.

Annual Contributions

When X-Force were compiling the report, one thing I neglected to do at the time was to examine how these Top-10 vendors contributed to the full years worth of security vulnerabilities.

So, after enjoying the days of blistering 35 degree (95 Fahrenheit) sunshine high up in the French Alps last week, I took the opportunity one (cool) evening to look at the last 5 years worth of vulnerability data and figure out what proportion of annual vulnerability disclosures can be attributed to the Top-10.

After a little Microsoft Excel data crunching, and some wizzie graphing magic, the following downward trend emerged – the Top-10 vulnerable vendors contribute a smaller fraction of all vulnerability disclosures per annum, decreasing from 20.2 percent to 14.6 percent over 5 years (see graph below).

I think some people would be rather surprised to see this downward trend – especially with the record growth of vulnerability disclosures in 2006.  To my mind, it’s not entirely unexpected – but it’s nice to actually have the proof!

There are a lot of reasons why I’d have expected to see this kind of decrease, but I think the biggest influencers are likely to be:

  • The improved QA and testing processes now used by the largest software vendors have removed many of the “low hanging fruit” of days gone by - leaving their applications increasingly barren of vulnerabilities that can be discovered by "newbie" researchers.
  • The majority of the software packages produced by these large vendors have been “in the wild” for quite some time now – having gone through multiple iterative releases – and have been combed through by quite a few budding security researchers over the years.
  • There are more and more software packages released every year by new software companies – many of them offer easier pickings for security researchers and automated discovery tools.  This has helped contribute to overall annual increases in total vulnerability counts.

Top-10 Variance

It’ll be interesting to see how 2007 pans out. A quick (non-authoritative) look at some of the vendors that typically appear within the Top-10 each year (it’s a dynamic list, with only five software groups appearing each year somewhere in the Top-10 since 2002 – Cisco, IBM, Microsoft, Sun and the Linux Kernel Organization) reveals that numbers are down slightly.

That said, the first half of the year is typically the slowest for vulnerability disclosures – so we won’t really know until the end of the year.  However, we can still cross our fingers and hope that any mid-year stats continue to follow the downward trend.

    Copyright 2001-2007 © Gunter Ollmann