Internet Security Systems - AlertCon(TM)

2007 X-Force Report Preview - Vulnerability Trends

Posted by Kris Lamb on February 05, 2008 at 10:06 AM EST.

With the arrival of the New Year have come many exciting and complex issues keeping X-Force extremely busy. So much so that we have obviously been shirking our blog responsibilities to our readers. As acknowledgement of this, we in X-Force will be making a more conscious effort to make sure regular, frequent, and interesting commentary make it to the blog from a variety of X-Force researchers, engineers, and thought leaders throughout 2008.

To this end, I thought a good way to make ammends for this blog neglict as well as provide a teaser of our soon to be released X-Force 2007 Trend Statistics Report, was to use the blog to provide a daily preview of the report for the remainder of this week.

This is how it will work. Each day we will post an excerpt from the report which will focus on one of the many trends X-Force measured, observed, and analyzed in 2007. This works out nicely as there are five sections in the report, and obviously five days in the work week. Since it is already Tuesday, we will post the intial two preview posts today and then provide a daily post the remainder of this week.

I hope you find the preview excerpts relevant and that they peak your interest for the full report which should release to the public very soon. So without further ado, we will begin our preview posts with an excerpt from the vulnerability analysis section of the report:

 

2007 Vulnerability Count

For the first time, X-Force witnessed a reduction (-5.4 percent) in new vulnerability disclosures from the previous year. The drop could represent an anomaly, a statistical correction or a new trend in the amount of disclosures.

2005 and 2006 saw large spikes in vulnerability growth (approximately 41 percent each year) that were well above the X-Force Database historical average (27 percent a year). The 5.4 percent decline in 2007 could simply be a statistical correction to the growth in vulnerabilities in 2005 and 2006. Although the number of disclosures dipped in 2007, the drop (5.4 percent) is less dramatic than the decrease in vulnerability growth witnessed between 2002 and 2003—as shown in Figure 1 and Table 1.

Although there was a decrease in overall vulnerabilities, high-priority vulnerabilities increased by 28 percent. Researchers could simply be focusing on the sometimes more difficult, high-priority finds.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.