In 2007, SANS published the "Top 20 Internet Security Problems, Threats and Risks" report, and since then, I have been following every week the distribution of vulnerabilities, and in particular, of web application vulnerabilities versus other vulnerabilities (server, client, network devices. etc). The Top 20 report already reflected web applications as the main server-side vulnerability (S1), with about a 50% prevalence in comparison with other server-side issues. When the Top 20 was replaced by the "The Top Cyber Security Risks", still web servers and applications were priority number two, right behind unpatched client-side software. During this more than three years period, this fifty-fifty distribution has been the norm on average every week, just by looking at the rough numbers from the weekly SANS @Risk newsletter. In reality, and roughly speaking, it was +50% on 2007-2008 and about 30-55% in 2009 on average for the total number of web-related vulnerabilities. However, recently, during the last few weeks (since October 2010), there has been a kind of shift on the stats, and the number of web application vulnerabilities have significantly reduced (in the average range of 10-30%). Let's take a look at a few samples from the @Risk archive. The numbers reflect the total number of web-app vulnerabilities (first number) vs total number of other vulnerabilities (second number). Between brackets is the % of web-app vulnerabilities from the total number of vulnerabilities (the sum of the previous two numbers):
Of course, some weeks might be influenced by different monthly patch days from specific vendors, or by specific research someone did on a vendor product or kind of technology, but estimated average and trend is what is relevant here. I wonder what is the reason for this:
If you have seen a similar trend shift from other vulnerability sources, or you have some insight of what is the reason for this, please share your thoughts in the comment section below or through our contact page. If we received a significant amount of comments and related details I will summarize them on a near future ISC diary. ---- |
Raul Siles 152 Posts Dec 12th 2010 |
Thread locked Subscribe |
Dec 12th 2010 1 decade ago |
Can I get a CSV of the complete dataset?
|
Anonymous |
Quote |
Dec 12th 2010 1 decade ago |
Kahomono, sorry but I don't have a CSV of the dataset. I suggest you to contact the @Risk people just in case they have it.
|
Raul Siles 152 Posts |
Quote |
Dec 12th 2010 1 decade ago |
I surmise this is attributed to fewer people reporting the vulnerabilities rather than fewer actually existing.
|
Raul Siles 5 Posts |
Quote |
Dec 13th 2010 1 decade ago |
This is my feeling too, based on what I see everyday in the wild, but didn't want to influence the audience in advance through the diary :)
|
Raul Siles 152 Posts |
Quote |
Dec 18th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!