A common question I'm asked by clients and at various security conferences is why some software vendors have more vulnerabilities than others – in particular, why the software developed by the biggest vendors continually appears to be vulnerable to the latest attacks, while the small niche vendors seem to be immune.
There are of course multiple elements to the answer, any one of them a significant factor in understanding why the statistics tend to back their conclusion. However, one of the most significant aspects to vulnerability discovery is accessibility.
While it sounds like a cliché, a high volume of security research is really done in the metaphorical bedroom.
Experienced and would-be security professionals alike hone their skills by downloading the latest versions of popular software on to their personal systems, and spending long evenings and weekends poking and prodding them, trying to uncover new vulnerabilities.
So why are the largest vendors suffering more from security vulnerabilities? It's most unlikely that they are not as well coded as their smaller competitors. Instead, it's often because the software is so easy to acquire.
Every security researcher I know will simply go to a vendor's site and download a trial or evaluation copy of the software, set it up on their test system or laptop, and then start digging for security flaws.
I'm sure that if the vendors understood this aspect of vulnerability research, there would be more interesting conversations at board level.
By making trial versions of their software available, vendors are allowing potential buyers to evaluate the software and come to like their solution – a highly valuable practice from a sales and marketing perspective.
The downside, of course, is that more security professionals (and tinkerers) are going to be hunting for flaws, which is likely to affect existing customers of the software and increasingly affect the company's share price.
Vendors that control access to trial downloads, or that implement a trialactivation license via a "contact our sales representative on this number" kind of interaction, tend to fare better than those that allow carte-blanche downloading and execution. The reason is that they are able to determine the type of individual or organization making the request.
Vendors that don't allow any downloading whatsoever, and use sales presentations and non-interactive demos instead, fare even better – assuming that the cost of purchasing the actual software is more than a few hundred dollars and it isn't popularly pirated.
Of course, the bigger and better organized the research group is, the less likely it is that the cost of acquiring valid (non-trial) versions of the software will prove a barrier to vulnerability research.
The same rationale applies to those really big and costly business-critical, enterprise-level applications and infrastructure platforms.
Having a high installation cost along with a limited market means that security researchers don't have the opportunity to "play" with the application and find new vulnerabilities. Things change when the products go mainstream and evaluation versions become available – just ask Oracle how things changed after its infamous "Unbreakable" product marketing caused security researchers to clamor for copies and prove them wrong.
That said, with many global firms now recruiting their own internal security assessment and penetration testing teams, the likelihood is increasing that next-generation professional security researchers will have uncovered security flaws within these previously inaccessible enterprise application platforms.
Don't be surprised if over the next year researchers start publishing high volumes of vulnerabilities in previously "secure" applications and platforms such as SAP, OS/400, Tivoli, Great Plains or even BlackBerry.
Let's just hope these researchers follow responsible disclosure guidelines.
Guner Ollmann is director of X-Force, Internet Security Systems
