2008: The Risk Report

The Research Group has developed

tools that objectively track and report on operational risk associated with software applications, operating systems and hardware.

I have seen a number of “Most Risky” lists that seem to be subjective and crafted by nothing more than a few Google searches and a popularity contest. In response, here is a "Top 10" list, filtered for Applications, sorted by overall vulnerability per issue, weighted by age of issue.

Top 10 Applications

1. Microsoft Internet Explorer
2. Mozilla Firefox
3. PHP
4. Mozilla Seamonkey
5. Mozilla Thunderbird
6. Microsoft Office
7. Apple Quicktime
8. BEA Weblogic Server
9. Apple Safari
10. Joomla

Top 25 Overall

Why 25? It is easier to show that software risk is time sensitive, objective and accurate with a larger list. My current list as of this week tracks 14813 products from almost as many vendors.

Our risk metrics are collected automatically and sorted. Members of the team correct discrepancies introduced by bad data, and then the results are generated using statistical queries on MySQL.

http://nvd.nist.gov is the official datasource for the risk information.

The ordered output is generated by an algorithm that scores a weighted value for each CVE based on the risk and age of that CVE, and then totals all the weighted CVEs across the life of a product. Such total scores are then compared one to another. In this way, an application that has been out for a very short time could make the top of the list if it had more security issues of high criticality over its release life than most applications.

The complete report segments out software by type (hardware, application, OS, platform), license (commercial, FOSS) and is generated weekly. The results are then compared to NVD’s Workload Index calculation in order to give an IT manager an accurate understanding of resource requirements to manage software issues. The report is available for a reasonable fee. To subscribe to the complete report, send an email to risk_report@airius.com.

Top 25 Software

1. Apple Mac OS X
   
2. Microsoft Internet Explorer
   
3. Linux Kernel
   
4. Mozilla Firefox
   
5. Sun Solaris
   
6. Microsoft Windows 2000
   
7. Apple Mac OS X Server
   
8. Microsoft Windows XP
   
9. PHP PHP
   
10. IBM AIX
    
11. Microsoft Windows Server 2003
    
12. Mozilla SeaMonkey
    
13. HP HP-UX
    
14. Mozilla Thunderbird
    
15. Microsoft Office
    
16. SuSE SuSE Linux
    
17. Microsoft Windows NT
    
18. Apple Quicktime
    
19. FreeBSD FreeBSD
    
20. BEA Systems WebLogic Server
    
21. Red Hat Linux
    
22. Gentoo Linux
    
23. Debian Debian Linux
    
24. Apple Safari
    
25. Joomla Joomla
    

UPDATE: For the FOSS (free and open source software) list, go to https://fossbazaar.org/content/2008-risk-report-foss.

What does this mean?

The lists review vulnerabilities reported historically to the National Vulnerability Database and sorts them. The reported vulnerabilities are weighted by their individual risk, then weighted by their historic age, where newer issues are more relevant than older issues, all else being the same.

The "percentage" is a relative metric, where the "most vulnerable" application for a report is scored 100%. All other software is scored relative to the 100%.

Is this software bad?
No. What you see is that open source and proprietary software both have issues. The risk seems to directly correlate with the complexity of the software type. Operating systems are inherently very complex, and always are very high on reported vulnerabilities. Notice that regardless of the license type, the level of relative risk is comparable by software type. What this seems to indicate is that complex software takes diligent effort to write, debug, and manage in an operational environment, regardless of the licensing that the software is distributed under. My team has tracked the resolution intervals relative to reported issues. What we saw as we started monitoring the publicly available data is that a well used and available forum drives awareness to issues, and indirectly facilitates rapid resolution for complex software, regardless of licensing.

So which application is the worst?

Software risk is a way of highlighting the management requirements imposed by software within an environment. Complex software may impose a greater management load than simple software. Tracking risk and vulnerabilities is a way that security and infrastructure managers can predict and deploy people and processes to actively manage the issues associated with certain types of software.

Risky software is not bad?
Tires wear out over time, asphault roads need to be repaved frequently, roofs need to be replaced, plumbing leaks once in a while. The requirement to maintain systems and to expect systems to require greater maintenance based on what these systems do is normal. Expecting software to be without issues is unreasonable and naive.

Risk is good?

Of course it is. If risk management is a process of ongoing maintenance, a healthy and interactive commnity participating in the discovery and reporting of risk issues improves the software. Failing to manage complex software, regardless of free or proprietary licensing, that is risky.

What do I do?

Complex software needs to have strong support and an active community. It is a greater risk to use a complex application that has no reported vulnerabilities than one that has many issues. Use the best software for the task. It may be risky, based on discovered issues. Understand that if your management process includes testing, validation of reported issues, and application of patches as available, your risk is incredibly low. If you can update your running software within 30 days of patch releases, your exposure is minimal, and you have an objective process to use complex and quality software within your environment.

Define Policies and Enforce Them

Software exists to facilitate the identification of software and services. Know what you are using, understand what the average work effort is to manage the installed software in your environment, and then set policies to monitor the active management of such software.

Summary

Sotware is asked to do many things. Complex software is asked to do many complex and critical things. More quality software is created by less people, in less time and with less resources. Is the software worse than it ever was? No. The power of the community works to expose these issues and drive resolutions quickly. Accept the fact that software is evolutionary, put a management process in place to take advantage of the input from the community (testing, validation, qualitative review, network and security policy, education), apply qualified patches.

Clear information about software issues reduces operational risk if such information is put to use. The applications for which no information exists pose the greatest threat to security. Without community oversight and review, unknown applications have the opportunity to mistakenly slide under the radar while being large potential threats.

The riskiest software is the software that you don't know about.

************************************************************

Notable Mention

The Research Group actively takes submissions from visitors regarding stories, FOSS issues and project announcements. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources at helping us provide up-to-date information. Send your stories and announcements to rdgroup@airius.com.

We are proud to have hosted over 80 interns in the last year from the leading schools in the United States. If you would like to be considered for an internship, please send a note to rdgroup@airius.com. You will receive instructions regarding how to apply.

************************************************************

Subscription

For more information, go to http://gpl3.blogspot.com/. To stop receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "unsubscribe:gpl3". To start receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "subscribe:gpl3".

The Research Group (rdgroup@airius.com)

Ernest Park

Credits:

http://nvd.nist.gov

http://en.wikipedia.org/wiki/Vulnerability_(computing)

What happened to the GPL Project Watch List

In October 2008, our research project was hit with the same economic crunch that has been affecting businesses throughout our country. The members of the Research Group are proud of what we delivered for more than a year, and we are glad that we were given the opportunity to deliver this significant information.

In April 2007, my team proposed the possibility of tracking the adoption and use of existing and new FOSS licensing. A month later, we started to build the database and write the web application for the search site. The team of researchers started crawling the internet manually and using specialized tools that we built to find indications of use of the new GPLv3 license. By July 2, as of our first post, we found 82 projects that announced GPLv3 releases as of June 29, 2007. While the start seemed lackluster, overall adoption has been consistent over observed time, averaging 200 new GPLv3 project releases monthly, with over 4000 current FOSS releases under GPLv3.

We started tracking GPLv3 information as of June 29, 2007, and continued to do so for 15 months. Our team included over 50 research interns from schools throughout our country, the project managers and me. We successfully provided clear and objective information regarding the acceptance and use of the new GPLv3 license, and extended the scope of our interest to report news and trends as well.

Our reports explained licensing, copyright, best practices, and garnered a strong readership over the time that we managed this information. While there are methods to collect and manage this information using automated tools, we found enough errors and imprecision in the data to raise doubt and uncertainty in the quality of data that is not manually reviewed. We built tools to optimize our ability to review data, but we still qualified all data that made it into our database.

We are now self sponsored and accepting sponsorship and contributions. The site will start publishing on a regular basis as before, and we hope to deliver timely and topical information. If you would like to help, contact us at sponsor@airius.com .

************************************************************

Notable Mention

The Research Group actively takes submissions from visitors regarding stories, FOSS issues and project announcements. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources at helping us provide up-to-date information. Send your stories and announcements to rdgroup@airius.com.

We are proud to have hosted over 80 interns in the last year from the leading schools in the United States. If you would like to be considered for an internship, please send a note to rdgroup@airius.com. You will receive instructions regarding how to apply.

************************************************************

Subscription

For more information, go to http://gpl3.blogspot.com/. To stop receiving these weekly mailings, please send a message to list@airius.com with the subject "unsubscribe:gpl3". To start receiving these weekly mailings, please send a message to list@airius.com with the subject "subscribe:gpl3".

The Research Group (rdgroup@airius.com)

Ernest Park

Edwin Pahk

Antony Tran

Kevin Howard

Credits:

1929 Stock Market Crash
President George Bush and Barack Obama

GPL Project Watch List for Week of 09/19

The GPL v3 Watch List is intended to give you a snapshot of the GPLv3/LGPLv3 adoption for September 12th to September 19th 2008.

This Week:

• Week Summary
• New Projects
• Interop 2008 and Open Source
  
• User Contributions

Moving along

Thanks to the hard work of the research team, we have noticed an increase in project conversion. This week our GPL v3 count is at 3184 GPL v3 projects, an increase of 184 GPL v3 projects. The AGPL v3 count is at 130 AGPL v3 projects. The LGPL v3 number is at 294 LGPL v3 projects, an increase of 8 LGPL v3 projects.

New project conversions this week include:

• Ongame Hand Converter: Ongame Hand Converter is a tool to convert poker hands, played at a skin of the Ongame poker network, into a more readable format. This can be useful if you want to discuss your hands with others, for example at a forum.


• PyMaTi: PyMaTi is a simple and easy to use GUI for numerical and scientific computing in Python. It surrounds well know packages NumPy and Matplotlib and provides possibility to immediately play with numerical python from intuitive user interface.


• StorYBook: Are you novelist, writer or author? StorYBook is a scene-based software for all creative writers that helps to organize your story. StorYBook assists you in structuring your book.

*************

Interop 2008 and Open Source

This year's Interop exhibition in New York City has just ended a little over a week ago from September 15^th to September 19^th. Interop is a tech expo where more than 300 leading technology exhibitors come to show off their stuff. It is a good look into what is coming up in IT in the near future from business leaders such as IBM, Cisco, Oracle and many others. So what was the big buzz at this year's exhibition? Two of the largest subjects that came up were Web 2.0 and cloud computing. High speed internet is spreading to more homes everyday and will soon be as common as cable TV, so it is no surprise that the experimental fields of Web 2.0 and cloud computing are the main focus of the IT community. It is no doubt that these new areas of IT will affect open source and also be affected open source software.

First off, IBM revealed their Center for Social Software, which is a collaboration between IBMers, clients, partners, students and others at their Cambridge Massachusetts location to further research Web 2.0 applications. The center will test new and current Web 2.0 tools to enhance their usage for business networks. Their goal at IBM is to use Web 2.0 to better connect people so that information can be access easier. Bob Picciano, general manager of IBM's Lotus Software believes that workers are going through an information overload trying to locate information. However, Web 2.0 should help ease the overload by connecting people to share information over social networks. By using social networking at the work place, efficiency can be boosted and increase productivity.

On the other side of the booth, Cisco was taking on virtualization and cloud computing. Cloud computing has been a hot button topic over the past year. People are still wondering what exactly it is and how we are going to get there. Marie Hattar of Cisco Systems outlined the workings of virtualization and said it will evolve into cloud computing. With both technologies her concern was security, advising companies to start small and plan ahead for security. As cloud computing continues to evolve, the commercial side of it will rely heavily on security and trust. If consumers are storing data on a virtual machine that can be accessed from any computer, it opens the door to a multitude of security risks and concerns. The companies offering these cloud services are going to have to convince their customers that their data will be save from attack on their servers.

Both Web 2.0 and cloud computing are going to affect and be affected by the open source market. Novell's CEO Ron Hovsepian said, "To us the future of IT is based on open source and open standards". Open standards are already widespread in wikis and social networking sites such as facebook. Much of Web 2.0 was and is being built on open source software. Web 2.0 is still in its early stages and the space and need for open source software is growing quickly. Cloud computing is also a space that open source software should take off in. Many open source software already generate revenue by providing the software for free but charging for the service. Cloud computing will be on demand and service based. Saas is a large market place for open source software as people are migrating from paying for the software to paying to the service. While these new experimental fields are coming to the main stream there are going to be many opportunities for open source software to gain a foothold on the market place.

-Antony Tran

References:

http://www.interop.com/

http://www.crn.com/software/210602265

http://www.crn.com/networking/210602222

http://www.internetnews.com/dev-news/article.php/3772276/Interop+Its+All+About+Collaboration.htm

http://www.informationweek.com/news/services/hosted_apps/showArticle.jhtml?articleID=210602225

****************************************************************************
We appreciate all the contributions that have been made, either through our form on our web page or by email, and we also like to hear why you are changing your project's license as in the email above. It gives us more insight into which direction license trends are moving. We will continue to post up user contributions to our blog each week, and we may quote parts of your emails. If you wish the email to remain private, just mention so and we will not disclose any part of it.

Link Partners
If you are willing to copy and tranlate the content weekly, please let me know - you will receive the content as soon as it is available, and you site will be listed as a translation. I can send you a bit of tracking code so that you get credit for your contribution to the readership of this site
Post your link on the bottom of the blog page.

Send me a note at rdgroup@airius.com that you are using some or all of the content
I will make sure that we host links to your sites, and we will be able to use your content within this site as well.

************************************************************

Notable Mention

The Research Group actively takes submissions from visitors on updates on new GPL v3/LGPL 3 projects. We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 100 core contributors who have devoted their time and resources at helping us provide up-to-date information.

************************************************************

Subscription

For more information, go to http://gpl3.blogspot.com/.

To stop receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "unsubscribe:gpl3".

To start receiving these weekly mailings, please send a message to rdgroup@palamida.com with the subject "subscribe:gpl3".

************************************************************

Our Sponsor, Palamida, Inc.

The GPL3 project, sponsored by Palamida, Inc (http://palamida.com/ ), is an effort to make reliable publicly available information regarding GPLv3 license usage and adoption in new projects.

The opinions expressed within the GPL3 Information Blog are exlusively those of Ernest Park, the subjects interviewed and the contributing authors, and are not intended to reflect the positions of Palamida, Inc and its employees.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .

************************************************************

Palamida was launched in 2003 after its founders learned first-hand what happens when companies don't have full visibility into the code base of their software applications based on Open Source Software. Their experiences inspired them to create a solution to streamline the process of identifying, tracking and managing the mix of unknown and undocumented Open Source that comprises a growing percentage of today's software applications. Palamida is the industry's first application security solution targeting today's widespread use of Open Source Software. It uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as intellectual property and compliance issues and allows development organizations to cost-effectively manage and secure mission critical applications and products.

For more information about FOSS management solutions, go to http://palamida.com/, or send a note to sales@palamida.com.

Please mention the GPL3 site when you reach out to Palamida.


The Research Group (rdgroup@airius.com)

Ernest Park
Edwin Pahk
Kevin Howard