Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Researchers overwhelming vendors with security flaws

SANS report paints grim if complex picture.

Article comments

Booming numbers of security researchers are uncovering so many flaws that vendors are finding it almost impossible to patch them all in a reasonable timeframe, the latest SANS report has found.

This paradox is one of a number of findings contained in the Top Cyber Security Risks report, which the organisation now plans to publish twice yearly in association with data provided by customers of partners TippingPoint and Qualys, upgrading the annual reports it has produced for some years.

More researchers hunting for flaws should be a good thing, but the report for March to August 2009 suggests that this has created logistical problems for an industry that is still heavily focused on adding features and product enhancement as its main priority.

Attackers now look to undermine systems through application vulnerabilities, with server-side and OS flaws declining in significance. Simultaneously, legitimate researchers have started finding the same types of flaws, which has caught some vendors in a pincer of malicious attacks and honest disclosures they often don't seem to have allocated the resources to deal with.

"There is a corresponding shortage of highly skilled vulnerability researchers working for government and software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks," note the report's authors.

The applications being attacked are significant in that they probably live on almost every PC in the world. The leading culprits identified by SANS are Microsoft's Office, Adobe's Acrobat Reader and Flash programs, and Sun's Java, and the various browsers in which such program often run as plug-ins. Apple's Quicktime is another rising vulnerability star notable because it is popular across more than one operating system.

The arithmetic is daunting. More flaws, including zero day flaws, are being are being discovered in software that is ubiquitous, which has led to increased patching times. This is partly to do with the time it takes to produce a patch and partly down to organisations misunderstanding the risk of app flaws and taking too long to apply patches.

"On average, major organisations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk," says the report.

According to Wolfgang Kandek of Qualys, one of the major contributors to the SANS data, a third issue was how to roll out security updates to consumer PCs in an efficient way..

"The problem today is that it is splintered on six [or more] different updaters." Just coping with application patching on a single PC had become a major challenge, he said, which suggested a new integrated mechanism was needed to make patching more seamless. Kandek praised Google's Chrome browser, where patching happened transparently and without user intervention, as a model for the future.

"It can be quite challenging if you are focused on development to understand that software gets abused."
The issue of patching cycles and patch application is already well-discussed by Qualys's own annual Laws of Vulnerability report, so the latest blast from SANS says nothing organisations shouldn't already be aware of.

The bigger lesson is for software vendors, which need to employ more researchers of their own and more people to relate their discoveries to the complex process of patching vulnerable apps. Microsoft has done a lot of hard work in this area with its much-vaunted Software Development Lifecycle (SDL), which is supposed to have changed the way apps get written from the first line of code. Others have much work to do - Adobe take note.


More from Techworld

More relevant IT news


Eirik Iverson said: With cyber criminals targeting the programming mistakes of software applications commonly found on PCs auto-update features are indeed useful But careful what you wish forhttpwwwblueridgenetworkscAuto-update must be implemented securely The artice link above tells you most do not See Never Ending Vulnerabilities for Web Browsers at the same place

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *