ISS: Vulnerability counts fall in 2007; Do you buy it?
IBM's Internet Security Systems is previewing its X-Force report and disclosed a notable factoid: Vulnerability disclosures fell 5.4 percent in 2007 relative to 2006.
Here's the data in a chart as disclosed in the ISS blog:
Feel safer yet? You shouldn't.
ISS says that the decline is a statistical anomaly because the growth in vulnerabilities was large in 2005 and 2006. The 2007 decline could be just a statistical correction in an uptrend. ISS also notes that "although there was a decrease in overall vulnerabilities, high-priority vulnerabilities increased by 28 percent. Researchers could simply be focusing on the sometimes more difficult, high-priority finds."
I reckon that ISS' explanations are off on all counts. Vulnerabilities aren't down--disclosure is down. So where are these vulnerabilities going? Here are three not so comforting possibilities:
- Hackers are selling vulnerabilities instead of disclosing them;
- Hackers are banking vulnerabilities for later;
- Or these vulnerabilities aren't disclosed and quietly patched. If a vulnerability is never disclosed and patched on the fly would you ever notice?
In any case, there's a lot happening under this surface data. Unfortunately, it'll take a few more years to see where the vulnerability trends lie.