The Research Group has developed
tools that objectively track and report on operational risk associated with software applications, operating systems and hardware.I have seen a number of “Most Risky” lists that seem to be subjective and crafted by nothing more than a few Google searches and a popularity contest. In response, here is a "Top 10" list, filtered for Applications, sorted by overall vulnerability per issue, weighted by age of issue.
Top 10 Applications
- Microsoft Internet Explorer
- Mozilla Firefox
- PHP
- Mozilla Seamonkey
- Mozilla Thunderbird
- Microsoft Office
- Apple Quicktime
- BEA Weblogic Server
- Apple Safari
- Joomla
Top 25 Overall
Why 25? It is easier to show that software risk is time sensitive, objective and accurate with a larger list. My current list as of this week tracks 14813 products from almost as many vendors.
Our risk metrics are collected automatically and sorted. Members of the team correct discrepancies introduced by bad data, and then the results are generated using statistical queries on MySQL.
http://nvd.nist.gov is the official datasource for the risk information.
The ordered output is generated by an algorithm that scores a weighted value for each CVE based on the risk and age of that CVE, and then totals all the weighted CVEs across the life of a product. Such total scores are then compared one to another. In this way, an application that has been out for a very short time could make the top of the list if it had more security issues of high criticality over its release life than most applications.
The complete report segments out software by type (hardware, application, OS, platform), license (commercial, FOSS) and is generated weekly. The results are then compared to NVD’s Workload Index calculation in order to give an IT manager an accurate understanding of resource requirements to manage software issues. The report is available for a reasonable fee. To subscribe to the complete report, send an email to risk_report@airius.com.
Top 25 Software
- Apple Mac OS X
- Microsoft Internet Explorer
- Linux Kernel
- Mozilla Firefox
- Sun Solaris
- Microsoft Windows 2000
- Apple Mac OS X Server
- Microsoft Windows XP
- PHP PHP
- IBM AIX
- Microsoft Windows Server 2003
- Mozilla SeaMonkey
- HP HP-UX
- Mozilla Thunderbird
- Microsoft Office
- SuSE SuSE Linux
- Microsoft Windows NT
- Apple Quicktime
- FreeBSD FreeBSD
- BEA Systems WebLogic Server
- Red Hat Linux
- Gentoo Linux
- Debian Debian Linux
- Apple Safari
- Joomla Joomla
What does this mean?
Is this software bad?
No. What you see is that open source and proprietary software both have issues. The risk seems to directly correlate with the complexity of the software type. Operating systems are inherently very complex, and always are very high on reported vulnerabilities. Notice that regardless of the license type, the level of relative risk is comparable by software type. What this seems to indicate is that complex software takes diligent effort to write, debug, and manage in an operational environment, regardless of the licensing that the software is distributed under. My team has tracked the resolution intervals relative to reported issues. What we saw as we started monitoring the publicly available data is that a well used and available forum drives awareness to issues, and indirectly facilitates rapid resolution for complex software, regardless of licensing.
Risky software is not bad?
Tires wear out over time, asphault roads need to be repaved frequently, roofs need to be replaced, plumbing leaks once in a while. The requirement to maintain systems and to expect systems to require greater maintenance based on what these systems do is normal. Expecting software to be without issues is unreasonable and naive.
Risk is good?
************************************************************
We are proud to have hosted over 80 interns in the last year from the leading schools in the United States. If you would like to be considered for an internship, please send a note to rdgroup@airius.com. You will receive instructions regarding how to apply.
************************************************************
For more information, go to http://gpl3.blogspot.com/. To stop receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "unsubscribe:gpl3". To start receiving these weekly mailings, please send a message to rdgroup@airius.com with the subject "subscribe:gpl3".
The Research Group (rdgroup@airius.com)
Ernest Park
Credits:
http://en.wikipedia.org/wiki/Vulnerability_(computing)