In 2007, SANS published the "Top 20 Internet Security Problems, Threats and Risks" report, and since then, I have been following every week the distribution of vulnerabilities, and in particular, of web application vulnerabilities versus other vulnerabilities (server, client, network devices. etc). The Top 20 report already reflected web applications as the main server-side vulnerability (S1), with about a 50% prevalence in comparison with other server-side issues. When the Top 20 was replaced by the "The Top Cyber Security Risks", still web servers and applications were priority number two, right behind unpatched client-side software.

During this more than three years period, this fifty-fifty distribution has been the norm on average every week, just by looking at the rough numbers from the weekly SANS @Risk newsletter. In reality, and roughly speaking, it was +50% on 2007-2008 and about 30-55% in 2009 on average for the total number of web-related vulnerabilities. However, recently, during the last few weeks (since October 2010), there has been a kind of shift on the stats, and the number of web application vulnerabilities have significantly reduced (in the average range of 10-30%).

Let's take a look at a few samples from the @Risk archive. The numbers reflect the total number of web-app vulnerabilities (first number) vs total number of other vulnerabilities (second number). Between brackets is the % of web-app vulnerabilities from the total number of vulnerabilities (the sum of the previous two numbers):

• Last four months: (sorted by number of the week in 2010)
  
  • #50: 13/37 (26%)
  • #49: 18/22 (45%)
  • #48: 4/35 (10%)
  • #47: 9/11 (45%)
  • #46: 4/32 (11%)
  • #45: 8/27 (22%)
  • #44: 9/24 (27%)
  • #43: 15/43 (25%)
    
  • #42: 7/38 (October 14, 2010 - 15%)
  • #41: 28/32 (46%)
  • #40: 22/23 (48%)
  • #39: 35/35 (50%)
  • #38:  9/33 (September 16, 2010 - 21%)
  • #37: 30/24 (55%)
  • ...
• Similar numbers from 2009:
  • #52: 53/41 (56%)
  • #51: 34/51 (40%)
  • #50: 28/42 (40%)
  • #49: 28/16 (63%)
  • #48: 39/36 (52%)
  • #47: 16/35 (31%)
  • #46: 14/59 (19%)
  • #45: 16/31 (34%)
  • #44: 37/105 (26%)
  • #43: 14/32 (30%)
  • #42: 7/14 (33%)
  • #41: 17/29 (37%)
  • #40: 18/34 (34%)
  • #39: 31/28 (52%)
  • #38:  37/60 (38%)
  • #37: 12/67 (15%)
  • #36: 28/41 (40%)
  • ...
• More random samples from the past:
  • 2009 #31: 35/49 (41%)
  • 2009 #24: 17/62 (21%)
  • 2009 #9: 38/46 (45%)
  • 2008 #43: 56/28 (66%)
  • 2008 #29: 56/36 (61%)
  • 2008 #9: 66/41 (61%)
  • 2007 #47: 32/37 (46%)
  • 2007 #8: 41/41 (50%)

Of course, some weeks might be influenced by different monthly patch days from specific vendors, or by specific research someone did on a vendor product or kind of technology, but estimated average and trend is what is relevant here.

I wonder what is the reason for this:

• Is simply because there have been changes in the way the vulnerabilities are gathered, processed and published by the @Risk project?
• Is because we are reaching to a point were we have more secure web applications?
• Is because researchers and third-parties are getting tired of reporting the new findings?
• Others?

If you have seen a similar trend shift from other vulnerability sources, or you have some insight of what is the reason for this, please share your thoughts in the comment section below or through our contact page. If we received a significant amount of comments and related details I will summarize them on a near future ISC diary.

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com