Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New trend regarding web application vulnerabilities? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New trend regarding web application vulnerabilities?

In 2007, SANS published the "Top 20 Internet Security Problems, Threats and Risks" report, and since then, I have been following every week the distribution of vulnerabilities, and in particular, of web application vulnerabilities versus other vulnerabilities (server, client, network devices. etc). The Top 20 report already reflected web applications as the main server-side vulnerability (S1), with about a 50% prevalence in comparison with other server-side issues. When the Top 20 was replaced by the "The Top Cyber Security Risks", still web servers and applications were priority number two, right behind unpatched client-side software.

During this more than three years period, this fifty-fifty distribution has been the norm on average every week, just by looking at the rough numbers from the weekly SANS @Risk newsletter. In reality, and roughly speaking, it was +50% on 2007-2008 and about 30-55% in 2009 on average for the total number of web-related vulnerabilities. However, recently, during the last few weeks (since October 2010), there has been a kind of shift on the stats, and the number of web application vulnerabilities have significantly reduced (in the average range of 10-30%).

Let's take a look at a few samples from the @Risk archive. The numbers reflect the total number of web-app vulnerabilities (first number) vs total number of other vulnerabilities (second number). Between brackets is the % of web-app vulnerabilities from the total number of vulnerabilities (the sum of the previous two numbers):

  • Last four months: (sorted by number of the week in 2010)
    • #50: 13/37 (26%)
    • #49: 18/22 (45%)
    • #48: 4/35 (10%)
    • #47: 9/11 (45%)
    • #46: 4/32 (11%)
    • #45: 8/27 (22%)
    • #44: 9/24 (27%)
    • #43: 15/43 (25%)
    • #42: 7/38 (October 14, 2010 - 15%)
    • #41: 28/32 (46%)
    • #40: 22/23 (48%)
    • #39: 35/35 (50%)
    • #38:  9/33 (September 16, 2010 - 21%)
    • #37: 30/24 (55%)
    • ...
  • Similar numbers from 2009:
    • #52: 53/41 (56%)
    • #51: 34/51 (40%)
    • #50: 28/42 (40%)
    • #49: 28/16 (63%)
    • #48: 39/36 (52%)
    • #47: 16/35 (31%)
    • #46: 14/59 (19%)
    • #45: 16/31 (34%)
    • #44: 37/105 (26%)
    • #43: 14/32 (30%)
    • #42: 7/14 (33%)
    • #41: 17/29 (37%)
    • #40: 18/34 (34%)
    • #39: 31/28 (52%)
    • #38:  37/60 (38%)
    • #37: 12/67 (15%)
    • #36: 28/41 (40%)
    • ...
  • More random samples from the past:
    • 2009 #31: 35/49 (41%)
    • 2009 #24: 17/62 (21%)
    • 2009 #9: 38/46 (45%)
    • 2008 #43: 56/28 (66%)
    • 2008 #29: 56/36 (61%)
    • 2008 #9: 66/41 (61%)
    • 2007 #47: 32/37 (46%)
    • 2007 #8: 41/41 (50%)

Of course, some weeks might be influenced by different monthly patch days from specific vendors, or by specific research someone did on a vendor product or kind of technology, but estimated average and trend is what is relevant here.

I wonder what is the reason for this:

  • Is simply because there have been changes in the way the vulnerabilities are gathered, processed and published by the @Risk project?
  • Is because we are reaching to a point were we have more secure web applications?
  • Is because researchers and third-parties are getting tired of reporting the new findings?
  • Others?

If you have seen a similar trend shift from other vulnerability sources, or you have some insight of what is the reason for this, please share your thoughts in the comment section below or through our contact page. If we received a significant amount of comments and related details I will summarize them on a near future ISC diary.

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com

Raul Siles

152 Posts
Can I get a CSV of the complete dataset?
Anonymous
Kahomono, sorry but I don't have a CSV of the dataset. I suggest you to contact the @Risk people just in case they have it.
Raul Siles

152 Posts
I surmise this is attributed to fewer people reporting the vulnerabilities rather than fewer actually existing.
Raul Siles
5 Posts
This is my feeling too, based on what I see everyday in the wild, but didn't want to influence the audience in advance through the diary :)
Raul Siles

152 Posts

Sign Up for Free or Log In to start participating in the conversation!