Study indicates that vulnerability management's getting no better
In the festivity and fun that is the annual Black Hat gathering (confidential to D. Tangent: okay, I give up, how did you manage to get it as warm in Seattle this week as it in in Vegas?), it's easy to miss some of the small but telling talks that frame the discussion. I'm the first to admit that I'm all atwitter waiting for Thursday's pwn-any-iPhone vulnerability reveal, but on Wednesday I'm sitting with Qualys's report on the state of vulnerabilites out in the world, enjoying it much as one enjoys the Up series of movies.
The Up documentary series, for those who haven't Netflixed it, is following 14 British kids through their lives, interviewing them at 7, 14, 21, 28, 35, 42, and 49 so far. (The series started in 1964.) The concept is based on the old Jesuit saying, "Give me a child until he is seven and I will give you the man," and the filmmakers are watching to see if that's true -- if the rich kids stay rich, if the kids in unsettled homes grew up to have unsettled homes of their own, and so forth. If potentials are pronouncements, in other words.
It's good stuff, and though the Qualys report has a long way to go to replicate that sort of long-arc data accretion -- the company released its first report in '04, and this is the second, covering 2008 -- it's interesting to ask what sort of progress we've made on coping with bugs and what sort of creature the security industry is turning out to be.
Of course, the kids in Seven Up actually grew up. Vulnerability management... not so much.
The Laws of Vulnerabilities 2.0 (PDF and PowerPoint available) documents progress, as measured by Qualys' vulnerability SaaS, on four aspects of vulnerability management: the time it takes to reduce occurrences of a vulnerability by half, the turnover rate on the "top 20" vulnerability list in the course of a year, the lifespan of vulnerabilities, and the time elapsed between the announcement of an exploit and the first attack spotted.
Bluntly put, we've made no progress. The half-life of a vulnerability is unchanged at about 30 days, with some industries (service industries, finance, wholesale/retail) doing a bit better and some (healthcare, manufacturing) doing even worse at applying the patches necessary to knock down those occurrences. Persistence is also unchanged: Simply put, a vulnerability lasts forever; they do not die; they are never fully patched into oblivion; you will never be done patching old holes. The report estimates that even critical vulnerabilities eventually stabilize at a 5-10% infection rate.
And that's the good news. The prevalence of vulnerabilities big enough to make the top-20 list has increased, with 60% of vulnerabilities spotted lasting through the one-year period of the study. Worst of all, the time-to-exploit for new vulnerabilities has crated, happening in less than 10 days on average compared to 60 days in 2004.
The authors of the study noted that there have been some sea changes from 2004 that admittedly make certain comparisons over time tough. Research focus has changed in large part from server-side vulnerabilities to those found in desktop apps, a far larger field of play; that could have something to do with why the number of vulnerabilities reported has more than doubled in the past five years. Some of the apps that seem to hold down a permanent place in the top 20, however, aren't that new to anyone: Microsoft Office, Sun Java, and Adobe Reader. (Windows 2003 Server SP2 also makes the unfortunate list.) 'This list proves," the report dryly notes, "that there are applications that are not receiving enough attention by IT administrators."
Qualys derived its number from 104 million scans done by approximately 3,500 organizations last year.
At this point, if the security industry were one of the kids from the Up series, we'd shake our heads and consign it to being no better, no more capable of improving its lot, than the most dismal interpretations of "and I will give you the man" might have predicted -- a pessimistic outlook that meshes fairly well with the reality of fighting back threats, network weirdness, and endless new attack surfaces on a daily basis. But there are slivers of good news in the report too; for instance, Qualys points to good progress on shrinking exploitation windows by sorting applications into priority and non-priority update rosters, and making sure net-facing apps such as browsers are in the high-priority group. And Chrome and Firefox developers merit praise in the report for using update mechanisms to aggressively push patches. In other words, it may be tempting to give up on vulnerability management even at this early stage of the game, but as with the kids of the Up series, the ultimate answer is just not that simple -- nor that inevitable.
And then there's this: As I finish this column late Wednesday night, I'm wondering what Facebook's next privacy debacle will be, now that they've managed to demonstrate that data-sharing settings on certain applications can be hamstrung with the greatest of ease. (Facebook's not talking at the moment, but if they were my first question would be about whether some glitch has surfaced as we near the launch of those more-granular privacy controls we've all been promised.) How do they top dumping all one's tweets onto one wall -- auto-launch of webcams on user machines, reverse the block-user functionality, post everyone's PII in the main feed? Facebook is already one of those companies that gives privacy nerds the heebie-jeebies. Foolishness like this, especially when it seems that every affected service BUT Facebook has indicted that it's aware of the problem, does not help.
And also: Apple partisans can find an excuse for everything their pet company does, so I'd like to invite the fanboi contingent to explain how it is that Cupertino is Good And Just And Sweet Like Puppies with this claim to the Copyright Office that allowing iPhone owners to jailbreak their handsets could endanger the nation's mobile-phone infrastructure. The rest of us are going to just stand by and feel sorry for you while you do that. But I'll give the company credit: The claim is the one of the damnedest advances in the field of Security Theater that I have ever seen. Always innovating, Apple.