You don’t have to be an IT manager to notice that cybersecurity threats are all over the news lately. Simply using software from some of the most popular and trusted brands in the marketplace can expose your company to a host of problems: malware, software security vulnerability risks, and spam.
For today’s business owners, protecting their bottom line includes protecting against information security risks. So, what has really been going on in IT security? Who are the most vulnerable companies, and is it getting any better out there?
After a 5-year decline, the number of software vulnerabilities tracked by the National Vulnerability Database increased in 2012, with software by Adobe, Mozilla, and Oracle containing the most critical flaws, according to a report released in February by technology and security research firm NSS Labs.
According to the report, the number of vulnerabilities grew to 5,225 in 2012, an increase of 26 percent. However, in 2011, vulnerabilities had decreased by 36 percent from an all-time high of 6,462 in 2006.
This reversal shows that developers have yet to master the secure programming techniques and processes that will permanently reduce the number of vulnerabilities found in their software products.
At the top of the list of vendors, Oracle reported 429 security vulnerability issues affecting its products last year. Recently, Oracle’s Java has become a major target, with cybercriminal toolkits adding vulnerabilities to the platform. Apple came in second, with 297 flaws, and Google ranked third, with 279 security vulnerability issues.
While ranking lower in the number of flaws, Adobe’s software topped them all by containing the most critical vulnerabilities in 2012. The ubiquity of its Flash plug-in and Acrobat PDF reader makes Adobe a favorite among cyber attackers. Adobe accounted for 112 of the 484 vulnerabilities that had a “critical severity” rating, and it was also at fault for its relatively simple means of exploitation. On this list, Mozilla and Oracle came in second and third, with 13 percent and 10 percent of the critical, easy-to-exploit flaws.
The results of the report were not all bad, though. The share of vulnerabilities that were rated highly critical declined. And, since 2000, it has become increasingly difficult to exploit these vulnerabilities. Medium-complexity attacks have increased in the past decade, and low-complexity attacks have declined.
In addition, four of the 10 companies with the most security vulnerability issues have reduced their overall number of vulnerabilities in the past year. Only Microsoft, however, had fewer vulnerabilities in 2012 than its average over the past 10 years.
Although it has been slow, software is making steady progress in becoming more secure. Websites and online services, on the other hand, are still a gray area. Websites and services cannot be tested legally by security researchers the way that source code and binaries can. Therefore, much of the progress being made in software security is absent in these other areas. To date, only a few companies, including Google and Facebook, have invited researchers to test their systems.