Should our vulnerability counts be going up or going down? That is an important question every security professional should be considering when laying out a security program.

If you believe vulnerability counts should be increasing, then presumably you believe that we are only covering the tip of the iceberg with respect to the total number of vulnerabilities in production. In this case, you are taking a short-term view of what is happening in security – it is okay to be hoping the counts increase in the short term, but eventually you want them to decrease (right?).

If you think vulnerability counts should be decreasing, then you might be heartened by this bit of news from ISS’ X-Force:

For the first time [in 2007], X-Force witnessed a reduction (-5.4 percent) in new vulnerability disclosures from the previous year.

The strange thing here is that X-Force wants to explain this decrease as a statistical anomaly. I think they should be pointing to it as a potential indicator of success, albeit with a need for more substantiation. 

So, do you want the number of vulnerabilities found in 2008 to be higher or lower than those found in 2007? (Btw, if you have some reason to expect 6000-7000 vulnerabilities to be found this year, and I believe you do, what are you doing to protect yourself from these "known unknowns" RIGHT NOW?)

Update: Funny! People are really vested in ensuring this number stays high. Here’s what Larry Dignan at ZDNet/Zero Day had to say. Can you sense the worry? People get attached to this stuff so much that it becomes clear that they NEVER WANT TO BE DONE (not that they would, but presumably that is the end game for a process of finding vulnerabilities).