gingerkazza's Journal: The truth about software low hanging fruit vulnerability

http://www.daniweb.com/blogs/entry1560.html If you were to just take weekly media reports and monthly security researcher statistics as your metric, then I suspect it would be a safe bet to suggest that you would say software security vulnerabilities are on a steep upwards curve. Furthermore, it is just as likely that given the media exposure to such events as Microsoft Patch Tuesday and the furore when Adobe or Apple announce a hole has been discovered in a high profile product, you would say that things are only getting worse as far as the big software vendors are concerned. The thing is, when you have statistical tunnel vision it becomes very difficult to see the bigger picture. But that panoramic view, surveying the software vulnerability landscape over the last five years, is just what Gunter Ollman, Director of Security Strategy at IBM Internet Security Systems has been looking at. And he has come up with a, frankly, surprising conclusion that as far as the top ten software vendors contributing to vulnerability disclosure statistics are concerned, the trend is actually a downwards one. Using data collated by the IBM ISS X-Force security research labs, Ollmann was able to do the math and discover that despite there being a record growth in vulnerability disclosure during 2006, up 39.5% over 2005, the contribution by the top ten vendors has decreased from 20.2% to 14.6% during the last five years.