Critical vulnerabilities are on the decline, but software security remains a complex issue as mobile platforms and mature technologies such as supervisory control and data acquisition (SCADA) systems become increasingly major targets for exploits, according to a recent HP report. In its analysis of data from multiple vulnerability disclosure programs, including its own Zero Day Initiative (ZDI), HP concluded that 8,137 new vulnerabilities were disclosed in 2012, a 19 percent increase over 2011.
The report found that high-severity vulnerabilities – those with a CVSS score of 8 to 10 – made up 23 percent of the scored submissions to the Open Source Vulnerability Database (OSVDB) in 2011 but dropped to 20 percent in 2012. Researchers explained that this still means that one in five vulnerabilities allows potential attackers to gain full control of a target.
Web application issues and mature technologies
Web applications remain a common source of vulnerabilities, as four of the six most commonly submitted vulnerability types exist primarily or exclusively in web applications. These include SQL injection, cross-site scripting, cross-site request forgery and remote file include flaws. Cross-site scripting errors were the most common problem.
Upon further examination using static analysis, researchers found problems with information leakage, cryptographic storage and injection flaws were common as well. Dynamic and static analysis results suggested that coding vulnerabilities were responsible for creating "severe risks" such as information theft and privilege escalation in web applications.
The maturity of a technology is not necessarily an indicator of its software security, researchers added. SCADA system vulnerabilities have increased 768 percent since 2008, with 191 such flaws currently known.
Mobile platform vulnerabilities on the rise
Accompanying the growth in mobile device usage has been an explosion of mobile vulnerability disclosures, according to the report. The OSDVB reported a 68 percent increase in mobile vulnerability disclosures since 2011 and a 787 percent increase over the past five years. Mobile vulnerabilities largely mirror those of desktop applications: 37.5 percent of mobile applications were vulnerable to some type of authorization problem, approximately 55 percent did not protect against stack smashing attacks and 13.5 percent were vulnerable to cross-site scripting.
As new technologies such as near field communication (NFC) payments emerge, the importance of protecting mobile platforms is only expected to increase. HP advised organizations to strengthen mobile applications through audits of input injection and information leakage vulnerabilities.
"The code should be analyzed via static analysis when being developed to find code-based vulnerabilities," they wrote. "As with any application, it's much less expensive to address security vulnerabilities during development than once it has been released."
The disclosure landscape
Researchers noted that vulnerability reporting has varied since its peak in 2006, showing no clear up or down trend in the ensuing years. The number of vulnerabilities disclosed in any year may not necessarily be an indicator of overall industry security, as the process for discovery, disclosure and exploitation can vary significantly from year to year. Among the reasons for a slight decline in critical vulnerability disclosures in 2012 might be the use of stronger coding practices such as the use of source code analysis in the development lifecycle, as well as a more competitive market for vulnerabilities.
"We think a lot of these vulnerabilities are being sold in the black market or the gray one," Mark Painter, marketing manager for Fortify HP enterprise security, told The Register. "The growth of the gray market and the worth of vulnerabilities in dollars must have a reducing effect on the number of public disclosures that we see. Those dollars are there, and anything that goes down [the gray channel] doesn't become public."
With the interest in exploiting vulnerabilities rising in all quarters, businesses may want to continue deploying tools to make the development process safer. By using methods such as static analysis and code review, organizations can build more security into their software from the start.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.