The list of vulnerabilities submitted to HP TippingPoint’s Zero Day Initiative (ZDI) is extensive, but many of the attacks featured are familiar, according to program manager Brian Gorenc. Gorenc recently shared some insights about the past year’s vulnerability landscape with eSecurity Planet and highlighted both the progress being made and the steps left to take in improving software security.
ZDI published 203 vulnerability advisories in 2012, with more than 100 related to Microsoft products, eSecurity Planet reported. Most of the Microsoft submissions involved Internet Explorer, while the bug classes that saw the most growth were those that targeted mobile devices. Gorenc noted that there is more research being done on mobile vulnerabilities as mobile becomes more central to people’s computing behavior. However, many of the vulnerabilities reported in 2012 used familiar attack vectors.
“We saw steady submissions of buffer overflows and use-after-free vulnerabilities as well as SQL injections,” Gorenc told eSecurity Planet. “We focus on remote code execution vulnerabilities, so those are the types of things that people submit to us.”
Improvements in handling vulnerabilities
While submissions to the ZDI program were numerous in 2012, they were actually more limited than in past years. This decline in disclosures is due, in part, to improved coding practices and more mature code bases, Gorenc told SearchSecurity.com. He also told eSecurity Planet that the quality of vulnerability write-ups seems to be improving, which may also be helping vendors address vulnerabilities. Solid research reports that go beyond noting a product is vulnerable allow the vendor to pinpoint the root cause and how to address the exploit through a patch or other mitigation strategies.
To continue to improve software security, vendors can build more secure coding practices into their development process. By using tools such as source code analysis, programmers can catch errors before software goes live, decreasing risk. Gorenc recommended developers adopt these secure coding practices if they want to reduce vulnerabilities and the overall cost of handling them later on.
“If you catch bugs earlier on during development, it costs less to fix than once it gets out in public,” he told eSecurity Planet. “Not every bug is exploitable, but a bug is a bug and software developers need to focus on improving the maturity and quality of products that come out.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.