Q1 Software Vulnerabilities

This was an interesting article on cio.com: Apple, Oracle, Google Lead Major Vendors with Software Vulnerabilities in Q1, Security Report Says – by TrendMicro. Now, these stats are always a bit a challenge: They make a really good headline but if the statistics does not include the severity of the vulnerabilities, it is hard to judge, what this really means in practical terms.

Anyway, if you look at the article, it says:

Apple reported 91 vulnerabilities during the period, making it number one among the top 10 technology vendors in the industry, said the report, "Security in the age of Mobility."
Trailing Apple were Oracle (78 vulnerabilities), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27) and Apache (24).
In addition, Trend Micro reported that Apple issued a record number of patches to its Safari browser in March during the period. A year earlier, March was also a mammoth month for patches, with Apple addressing 93 vulnerabilities, a third of them characterized as "critical," in its Leopard and Snow Leopard operating system.

If you set this into proportion to the size of the portfolio, it would look even better for us. However, this does by no means say that we feel good about 43 vulnerabilities but it shows that our Security Development Lifecycle pays off.

This is more or less consistent as well with what we see with customers: Typically they know today how to roll security updates out to their Microsoft environment but they are often challenged with the rest of their applications. However, if you look where the majority of vulnerabilities are, it is typically third-party code (and not “only” from the vendors stated above but in custom-written code).

Therefore I am still calling for customers to ask for a secure development lifecycle from their vendors

Roger