Should our vulnerability counts be going up or going down? That is an important question every security professional should be considering when laying out a security program.
If you believe vulnerability counts should be increasing, then presumably you believe that we are only covering the tip of the iceberg with respect to the total number of vulnerabilities in production. In this case, you are taking a short-term view of what is happening in security – it is okay to be hoping the counts increase in the short term, but eventually you want them to decrease (right?).
If you think vulnerability counts should be decreasing, then you might be heartened by this bit of news from ISS’ X-Force:
For the first time [in 2007], X-Force witnessed a reduction (-5.4 percent) in new vulnerability disclosures from the previous year.
The strange thing here is that X-Force wants to explain this decrease as a statistical anomaly. I think they should be pointing to it as a potential indicator of success, albeit with a need for more substantiation.
So, do you want the number of vulnerabilities found in 2008 to be higher or lower than those found in 2007? (Btw, if you have some reason to expect 6000-7000 vulnerabilities to be found this year, and I believe you do, what are you doing to protect yourself from these "known unknowns" RIGHT NOW?)
Update: Funny! People are really vested in ensuring this number stays high. Here’s what Larry Dignan at ZDNet/Zero Day had to say. Can you sense the worry? People get attached to this stuff so much that it becomes clear that they NEVER WANT TO BE DONE (not that they would, but presumably that is the end game for a process of finding vulnerabilities).
I think this measure is utterly irrelevent. The number of vulnerabilities only matters to the companies who make the products in the sample.
To me, as a security/systems guy, I really couldn’t care less if this number goes up, down, stays the same, or disappears.
If Windows has 0 vulns in a year, will that cause my actions to change? I might have an extra beer and give a hurrah for Microsoft, but that means nothing about my risk tomorrow, or the day after that, of a single new vuln to arise.
What if Windows has 0 vulns for 5 years? That doesn’t eliminate mistakes or other such situations that my users, staff, or even myself might introduce into my environment. Again, little of my action will change.
If anything, my C-levels may eventually read such reports and lower my budget in response, which would (stupidly) change my behavior. But hey, that’s life.