SIR (yes, SIR)

Security Intelligence Report

I know, because they told me, that one of the reasons certain of my colleagues don't blog, is that a "typical" entry would be along the lines of "Here's a link to something interesting." And that would be that.

I have times like that. While I normally stack them up until there's enough to compile a summary, like the "Security Digest" posts here and here, sometimes by contrast the backlog is too interesting to wait that long. A case in point is the Security Intelligence Report, Volume 7, published this week by Microsoft. Bryan Sullivan of the SDL group mentioned it on Wednesday,

http://blogs.msdn.com/sdl/archive/2009/11/04/sir-volume-7-released.aspx

for the purpose of drawing attention to one particular piece of analysis, namely the number of industry-wide reported vulnerabilities, as broken down by category: OS, browser, and application. A worthwhile graph (worth a thousand words at any rate) summarising these results can be seen here:

http://blogs.msdn.com/blogfiles/sdl/WindowsLiveWriter/SIRVolume7Released_7462/clip_image001_2.png

but I'd like to make a couple of additional comments on this.

App vulnerabilities show an incessant upward trend, with just two exceptions: 2H07, and 1H09. These isolated drops can be traced directly to significant events in the SDL roll out.

• In the first case, 2H07: although the life cycle project was initiated internally at Microsoft by His Billness in 2002, there was a lengthy period of digestion and gestation (there I go again with the metaphor train wrecks), and in fact early 2007 was the tipping point for adoption by third parties. This is evidenced by the publication and/or update of numerous related MS resources. For example, the MS-SDL blog started that April, in response to "a lot of friendly pokes from customers, partners, colleagues, and competitors, asking us to say more about [the SDL] in an open forum". Realistically, 2H07 was the very earliest point at which these resources and materials could possibly have had any measurable effect on third party (vulnerability exploit) mitigations.
• In the second case, 1H09: well what can I say, except - welcome to the new, improved, Team System... now with added SDL!

Secondly, whilst not visibly tracking the app security holes over any analytically useful window, the OS vulnerabilities nevertheless have shared the recent dip observed in the apps. Why? After all, app vulns are predominantly 3rd party, while OS vulns (at least in this study) are exclusively MS. Maybe MS simply made a better effort over the piece, to patch OS vulns asap?

Finally, take a close look at those browser vulnerabilities. Shunning the trend, these have risen once again. I've mentioned recently that this particular trend should be expected, simply as a consequence of the widely reported change of focus on the part of the exploiters. It does not take an Einstein, nor indeed a Schneier, to foresee a continuation in this area.

The full detail of the SIR can be read here:

http://www.microsoft.com/security/portal/Threat/SIR.aspx