Tuesday, January 13, 2009

2008: The Risk Report

The Research Group has developed

tools that objectively track and report on operational risk associated with software applications, operating systems and hardware.

I have seen a number of “Most Risky” lists that seem to be subjective and crafted by nothing more than a few Google searches and a popularity contest. In response, here is a "Top 10" list, filtered for Applications, sorted by overall vulnerability per issue, weighted by age of issue.




Top 10 Applications
  1. Microsoft Internet Explorer
  2. Mozilla Firefox
  3. PHP
  4. Mozilla Seamonkey
  5. Mozilla Thunderbird
  6. Microsoft Office
  7. Apple Quicktime
  8. BEA Weblogic Server
  9. Apple Safari
  10. Joomla

Top 25 Overall

Why 25? It is easier to show that software risk is time sensitive, objective and accurate with a larger list. My current list as of this week tracks 14813 products from almost as many vendors.

Our risk metrics are collected automatically and sorted. Members of the team correct discrepancies introduced by bad data, and then the results are generated using statistical queries on MySQL.

http://nvd.nist.gov is the official datasource for the risk information.

The ordered output is generated by an algorithm that scores a weighted value for each CVE based on the risk and age of that CVE, and then totals all the weighted CVEs across the life of a product. Such total scores are then compared one to another. In this way, an application that has been out for a very short time could make the top of the list if it had more security issues of high criticality over its release life than most applications.

The complete report segments out software by type (hardware, application, OS, platform), license (commercial, FOSS) and is generated weekly. The results are then compared to NVD’s Workload Index calculation in order to give an IT manager an accurate understanding of resource requirements to manage software issues. The report is available for a reasonable fee. To subscribe to the complete report, send an email to risk_report@airius.com.


Top 25 Software

  1. Apple Mac OS X
  2. Microsoft Internet Explorer
  3. Linux Kernel
  4. Mozilla Firefox
  5. Sun Solaris
  6. Microsoft Windows 2000
  7. Apple Mac OS X Server
  8. Microsoft Windows XP
  9. PHP PHP
  10. IBM AIX
  11. Microsoft Windows Server 2003
  12. Mozilla SeaMonkey
  13. HP HP-UX
  14. Mozilla Thunderbird
  15. Microsoft Office
  16. SuSE SuSE Linux
  17. Microsoft Windows NT
  18. Apple Quicktime
  19. FreeBSD FreeBSD
  20. BEA Systems WebLogic Server
  21. Red Hat Linux
  22. Gentoo Linux
  23. Debian Debian Linux
  24. Apple Safari
  25. Joomla Joomla
UPDATE: For the FOSS (free and open source software) list, go to https://fossbazaar.org/content/2008-risk-report-foss.

What does this mean?
The lists review vulnerabilities reported historically to the National Vulnerability Database and sorts them. The reported vulnerabilities are weighted by their individual risk, then weighted by their historic age, where newer issues are more relevant than older issues, all else being the same.

The "percentage" is a relative metric, where the "most vulnerable" application for a report is scored 100%. All other software is scored relative to the 100%.

Is this software bad?
No. What you see is that open source and proprietary software both have issues. The risk seems to directly correlate with the complexity of the software type. Operating systems are inherently very complex, and always are very high on reported vulnerabilities. Notice that regardless of the license type, the level of relative risk is comparable by software type. What this seems to indicate is that complex software takes diligent effort to write, debug, and manage in an operational environment, regardless of the licensing that the software is distributed under. My team has tracked the resolution intervals relative to reported issues. What we saw as we started monitoring the publicly available data is that a well used and available forum drives awareness to issues, and indirectly facilitates rapid resolution for complex software, regardless of licensing.

So which application is the worst?
Software risk is a way of highlighting the management requirements imposed by software within an environment. Complex software may impose a greater management load than simple software. Tracking risk and vulnerabilities is a way that security and infrastructure managers can predict and deploy people and processes to actively manage the issues associated with certain types of software.

Risky software is not bad?
Tires wear out over time, asphault roads need to be repaved frequently, roofs need to be replaced, plumbing leaks once in a while. The requirement to maintain systems and to expect systems to require greater maintenance based on what these systems do is normal. Expecting software to be without issues is unreasonable and naive.

Risk is good?
Of course it is. If risk management is a process of ongoing maintenance, a healthy and interactive commnity participating in the discovery and reporting of risk issues improves the software. Failing to manage complex software, regardless of free or proprietary licensing, that is risky.

What do I do?
Complex software needs to have strong support and an active community. It is a greater risk to use a complex application that has no reported vulnerabilities than one that has many issues. Use the best software for the task. It may be risky, based on discovered issues. Understand that if your management process includes testing, validation of reported issues, and application of patches as available, your risk is incredibly low. If you can update your running software within 30 days of patch releases, your exposure is minimal, and you have an objective process to use complex and quality software within your environment.

Define Policies and Enforce Them
Software exists to facilitate the identification of software and services. Know what you are using, understand what the average work effort is to manage the installed software in your environment, and then set policies to monitor the active management of such software.

Summary
Sotware is asked to do many things. Complex software is asked to do many complex and critical things. More quality software is created by less people, in less time and with less resources. Is the software worse than it ever was? No. The power of the community works to expose these issues and drive resolutions quickly. Accept the fact that software is evolutionary, put a management process in place to take advantage of the input from the community (testing, validation, qualitative review, network and security policy, education), apply qualified patches.

Clear information about software issues reduces operational risk if such information is put to use. The applications for which no information exists pose the greatest threat to security. Without community oversight and review, unknown applications have the opportunity to mistakenly slide under the radar while being large potential threats.

The riskiest software is the software that you don't know about.










************************************************************

Notable Mention

The Research Group actively takes submissions from visitors regarding stories, FOSS issues and project announcements. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources at helping us provide up-to-date information. Send your stories and announcements to rdgroup@airius.com.

We are proud to have hosted over 80 interns in the last year from the leading schools in the United States. If you would like to be considered for an internship, please send a note to rdgroup@airius.com. You will receive instructions regarding how to apply.

************************************************************

Subscription

For more information, go to http://gpl3.blogspot.com/. To stop receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "unsubscribe:gpl3". To start receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "subscribe:gpl3".

The Research Group (rdgroup@airius.com)

Ernest Park


Credits:

http://nvd.nist.gov

http://en.wikipedia.org/wiki/Vulnerability_(computing)














What happened to the GPL Project Watch List

In October 2008, our research project was hit with the same economic crunch that has been affecting businesses throughout our country. The members of the Research Group are proud of what we delivered for more than a year, and we are glad that we were given the opportunity to deliver this significant information.


In April 2007, my team proposed the possibility of tracking the adoption and use of existing and new FOSS licensing. A month later, we started to build the database and write the web application for the search site. The team of researchers started crawling the internet manually and using specialized tools that we built to find indications of use of the new GPLv3 license. By July 2, as of our first post, we found 82 projects that announced GPLv3 releases as of June 29, 2007. While the start seemed lackluster, overall adoption has been consistent over observed time, averaging 200 new GPLv3 project releases monthly, with over 4000 current FOSS releases under GPLv3.

We started tracking GPLv3 information as of June 29, 2007, and continued to do so for 15 months. Our team included over 50 research interns from schools throughout our country, the project managers and me. We successfully provided clear and objective information regarding the acceptance and use of the new GPLv3 license, and extended the scope of our interest to report news and trends as well.

Our reports explained licensing, copyright, best practices, and garnered a strong readership over the time that we managed this information. While there are methods to collect and manage this information using automated tools, we found enough errors and imprecision in the data to raise doubt and uncertainty in the quality of data that is not manually reviewed. We built tools to optimize our ability to review data, but we still qualified all data that made it into our database.

We are now self sponsored and accepting sponsorship and contributions. The site will start publishing on a regular basis as before, and we hope to deliver timely and topical information. If you would like to help, contact us at sponsor@airius.com .























************************************************************

Notable Mention

The Research Group actively takes submissions from visitors regarding stories, FOSS issues and project announcements. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources at helping us provide up-to-date information. Send your stories and announcements to rdgroup@airius.com.

We are proud to have hosted over 80 interns in the last year from the leading schools in the United States. If you would like to be considered for an internship, please send a note to rdgroup@airius.com. You will receive instructions regarding how to apply.

************************************************************

Subscription

For more information, go to http://gpl3.blogspot.com/. To stop receiving these weekly mailings, please send a message to list@airius.com with the subject "unsubscribe:gpl3". To start receiving these weekly mailings, please send a message to list@airius.com with the subject "subscribe:gpl3".


The Research Group (rdgroup@airius.com)

Ernest Park

Edwin Pahk

Antony Tran

Kevin Howard



Credits:
1929 Stock Market Crash
President George Bush and Barack Obama