Intelligent Enterprise

Big Blue recently released its IBM Internet Security Systems X-Force 2008 Mid-Year Trend Statistics report, and it contains more than a few eyebrow-raisers. For example: Web-application-based security vulnerabilities have begun to outnumber reports involving conventional viruses and trojans (of the kind that target the operating system). We're now at the point where 51 percent of newly discovered software vulnerabilities depend in some way on Web-page interactions.

Also, there's been a sharp surge in the number of vulnerabilities that involve SQL injection (as opposed to cross-site scripting). Meanwhile, the use of infected image files (.gif or .jpg) as a way to inflict mayhem is on the decline.

What really got my attention, though, is the new Top Ten list of vendors with the most vulnerability disclosures. Normally you would expect Microsoft to be at the top of that list (I would, at least). Instead, it's at Number 3, behind Apple and... Joomla!. Fortunately, Joomla! can be secured, but it's quite possible that many novice Joomla! installers do not.

Numbers 8, 9 and 10 are interesting, as well: Drupal, WordPress, and Linux.

The finding that no fewer than four of the top ten vendors with the most reported vulnerabilities are open-source projects is, at first blush, quite striking. But the results should be viewed with caution. In part, the rankings reflect a recent change in IBM's data-gathering methodology (which the report's authors are quick to point out). Another important caveat is that the numbers are not normalized against adoption rates or installed seats or any other usage metrics. They're based on raw numbers.

It's worth remembering, too, that open source projects are extraordinarily open about security vulnerabilities. Hence you would expect a comparatively high rate of reporting for an open-source product. Finding, publishing, and fixing security vulnerabilities is something the open-source community has gotten quite good at, particularly in the Linux world, where every line of code for the entire operating system (including all encryption routines, random-number-generating code, and so on) is available free for the downloading. Security flaws in Linux tend to be found and corrected with astonishing alacrity.

On the other hand, it's striking that three of the Top Ten contenders on IBM's security worry-list have PHP in common. You can read whatever you want to into that, I suppose. I'm not a PHP expert, but I'm enough of a web developer to know that languages don't create security problems; programmers do.

If you have the time and the inclination, download the IBM report. At 85 pages, it's a well-worthwhile lunch-hour read, if you care about Web-app security... as I think we all should.