Security firm Secunia has just released its Half Year Security Report (.pdf), which I downloaded to examine further. Unlike many of the sponsored studies that get passed around these days, the 19-page, .pdf report from Secunia draws upon an independent and respected database of actual vulnerabilities, tagged using a consistent (and pretty well defined) vulnerability criticality classification. 

And guess which vendors took the top three spots with the most number of reported vulnerabilities per year? 

Apple (NASDAQ: AAPL) took the first place, followed by Oracle (NASDAQ: ORCL) and Microsoft (NASDAQ: MSFT). Other vendors in the top 10 list include Adobe (NASDAQ: ADBE) Systems (no surprise on this I suppose), VMware, Cisco (NASDAQ: CSCO), Mozilla and even Google (NASDAQ: GOOG).

Of course, it would be foolhardy and drastically unfair to assess the "performance" of a vendor by the sheer vulnerability count alone. Many other factors need to be considered, with Secunia itself suggesting that attention should be paid to the "change in the type of vulnerabilities, code quality, handling of vulnerability reports, ability to update users, quality of patches, ability to communicate to end users, number of products, complexity of product portfolio and other factors which cannot be read out of mere aggregate numbers." Phew, what a list.

High market share equates high vulnerability count

And while it must be pointed out that counting the number of vulnerabilities is at best a crude measuring stick, it does form some kind of basis to better understand the influence that the various software vendors exert on the computing sphere. In fact, the companies with the most popular products seemed to have scored with the highest vulnerability counts.

If you would consider, for example, that Apple makes iTunes (Ubiquitous now thanks to the sheer number of iPods and iPhones sold), Oracle has Java (acquired as part of Sun Microsystems deal) and Microsoft makes Windows, Office and Internet Explorer. Adobe of course, has its Acrobat Reader and Flash plug-ins.

Overall, the top 10 vendors are responsible for 38 percent of the reported vulnerabilities per year. The sobering fact is, according to the report, that "vulnerabilities continue to be discovered in significant numbers in products from even the largest and most popular vendors" and this apparently includes those who are in a position to "spend significant resources on improving the security of their products."

Is security a lost cause?

Even though one is tempted to think that all is lost, perhaps a glimmer of hope remains in the example of Microsoft. You see, in spite of the sheer pervasiveness of its products, Microsoft seemed to have made relatively large strides toward improving the state of security in its products compared to other software makers.

So much so that attackers are now focusing on exploiting 3^rd party applications rather than those found in Microsoft's products. Secunia evaluated the typical software portfolio of a PC user, concluding that "A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed." Even better (or worse, if taken from the perspective of third-party software), this ratio is further expected to increase to 4.4 in 2010.

So while detractors can argue that few vendors have the financial clout and technical expertise of Microsoft, perhaps other software makers on the Top 10 list can at least hope to reduce their security footprint by emulating how Microsoft does its disclosure, patching and its secure coding initiatives - Paul Mah (Twitter @paulmah)