Internet Security Systems - AlertCon(TM)

Mid-Year 2010 X-Force Trend and Risk Report - Update to Unpatched Vulnerabilities Chart

Posted by Tom Cross on August 28, 2010 at 9:35 AM EDT.

Hopefully most of the readers of our blog are aware that this week we released the X-Force 2010 Mid-Year Trend and Risk Report. Its available for download now from our website and is full of interesting data on vulnerability disclosures, attack activity, spam and malware.

One of the key data sources for the report is the X-Force database, where have been cataloging vulnerability disclosures for over a decade. Our database team monitors every known mailing list, vendor advisory page, and exploit website and manually documents every security vulnerability that is ever disclosed for any software product, along with its CVSS score and remedy. In the past 6 months we've tracked nearly 4,500 vulnerabilities in this database. As you might imagine, this is a complicated task, as every software vendor handles security vulnerabilities differently and few standards exist today for sharing this information.

We use the X-Force database to generate a number of charts in the trend report, including a chart listing the software vendors with the largest number of unpatched security vulnerabilities. The reason we include this chart in the report is to highlight the fact that at any given time there are security vulnerabilities that have been publicly disclosed that impact popular enterprise software, and that it takes time for even the most responsive vendors to make patches available.
 
After we released our trend report this week, we received feedback from two software vendors regarding the severity and remedy information for some of the vulnerabilities behind this chart. This sort of input is crucial for us - with more input from software vendors about vulnerability information we get greater accuracy in our snapshot of the industry. As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart. You can read the updated version of the chart in this blog post, and we will be releasing an updated version of the report early next week which includes this chart.

Of course, the accuracy of the information we're reporting in our vulnerability database and in our trend reports is of the utmost importance to us. Every vulnerability page in the database has always included our email address for corrections and additions, and we work constantly to develop and maintain relationships with other software companies to coordinate vulnerability information. Efforts are currently underway within the software industry to develop standards for reporting of vulnerability and remedy information. We believe that those standardization efforts hold the key to making sure that consumers always have the latest information from software vendors about vulnerability disclosures affecting their products.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.