Research and Markets: World Vulnerability Research Tracker - The 1Q 2010 Edition

November 9, 2010

Tools

DUBLIN--(BUSINESS WIRE)-- Research and Markets (http://www.researchandmarkets.com/research/78a639/world_vulnerabilit) has announced the addition of Frost & Sullivan's report "World Vulnerability Research Tracker 1Q 2010" to their offering.

The Vulnerability Tracker is compiled from various public sources to analyze the vulnerability landscape from 2000 to the present. The US CERT is the primary source of data but other sources include the National Vulnerability Database as well as news and vendor websites. The top research companies are also interviewed to provide industry and technology trends. The data is collected, queried, and segmented, resulting in a wealth of information that is intended to provide qualitative commentary on the research industry and to recognize the most prolific disclosers of vulnerability reports. This research service includes bugs reported by security vendors and research/testing labs such as iDefense, TippingPoint, and Secunia

Key Highlights:

The number of vulnerabilities reported by commercial organizations have steadily increased from 3Q 2009 to 1Q 2010.
With the economy showing some improvement the past several quarters, so has the amount of reporting done by commercial organizations. This can be attributed to a slight increase in budget and incentives for those organizations reporting vulnerabilities.
In 1Q 2010, a large percentage of vulnerabilities were rated as high severity. Since the release of CVSS V2 in mid-2007, a disproportionately severe threat level has existed.
Vulnerability research focused less on operating systems and server applications, instead centering around client-side applications as major attack vectors.
Mobile devices will soon become a major attack vector as these devices become more familiar, more powerful, and more ubiquitous. The increase in popularity and development of PC tablets will also leads to an increase in focus of attacks.
Multiple security research companies have adopted contributor compensation programs. These programs use monetary rewards as incentive for individuals to responsibly report discovered vulnerabilities to the security vendor.
The security vendor can then process the information, discover related issues, and provide an actionable report to the software vendor. This has proven to be an invaluable service for software vendors, and software vendors have become much more open and willing to collaborate to fix the reported issues.
The two companies reporting the most vulnerabilities in the first half of 2009 were VeriSign iDefense Labs and TippingPoint. Both companies successfully employ compensation programs to supplement their own internal research.
Integrity is a primary concern with a contributor program, making verification and further research from the crediting institution a necessity. iDefense Labs and TippingPoint currently engage in rigorous testing for commissioned vulnerabilities and background checks for the contributors.
Scareware is becoming a more common form for creating attacks. Several industry sources forecast this type of attack to increase throughout 2010.
Mobile malware attacks will increase as use of mobile devices increase. As a result, an increased focus on mobile security is a necessity.
As the U.S. government places cybersecurity as a top issue, budget increases in governmental resources for added security is anticipated.
In 2009, the Obama administration created a top-level office in charge of securing the United States cyberspace. This is being done by working with public and private sectors to create awareness of cybersecurity issues.