Get ready to learn the truth

A common question I'm asked by clients and at various security conferences is why some software vendors have more vulnerabilities than others – in particular, why the software developed by the biggest vendors continually appears to be vulnerable to the latest attacks, while the small niche vendors seem to be immune.

There are of course multiple elements to the answer, any one of them a significant factor in understanding why the statistics tend to back their conclusion. However, one of the most significant aspects to vulnerability discovery is accessibility.

While it sounds like a cliché, a high volume of security research is really done in the colloquial bedroom.

Experienced and up-and-coming security professionals alike hone their skills by downloading the latest versions of popular software on to their home or personal systems, and spending long evenings and weekends poking and prodding them, trying to uncover new vulnerabilities.

So why are the largest vendors suffering more from security vulnerabilities? It's most unlikely that they are more poorly coded than their smaller competitors. Instead, it's often because the software is so easy to acquire.

Every security researcher I know will just go to a vendor's site and download a trial or evaluation copy of the software, set it up on their test system or laptop, and then start digging for security flaws.

I'm sure that if the vendors understood this aspect of vulnerability research, there would be more interesting conversations at board level.

By making trial versions of their software available, vendors are allowing potential buyers to evaluate the software and come to like their solution – a highly valuable practice from a sales and marketing perspective.

The downside, of course, is that more security professionals (and tinkerers) are going to be hunting for flaws, which is likely to affect existing customers of the software and increasingly affect the company's share price.

Vendors that control access to trial downloads, or which implement a trial activation licence to use the software through a "contact our sales representative on this phone number" kind of interaction, tend to fare better than those that allow carte-blanche downloading and execution. The reason is that they are able to better qualify the type of individual or organisation making the request.

Vendors that don't allow any downloading whatsoever, and use sales presentations and non-interactive demos instead, fare even better – assuming that the cost of purchasing the actual software is more than a few hundred pounds and it isn't popularly pirated.

Of course, the bigger and better organised the research group is, the less likely it is that the cost of acquiring valid (non-trial) versions of the software will prove a barrier to their vulnerability research.

The same rationale applies to those really big and costly business-critical, enterprise-level applications and infrastructure platforms.

Having a high installation cost along with a limited market means that security researchers don't have the opportunity to "play" with the application and find new vulnerabilities. Things change when the products become mainstream and evaluation versions become available – just ask Oracle how things changed after its infamous "Unbreakable" product marketing caused security researchers to clamour for copies and prove them wrong.

Having said all that, with many international firms now recruiting for their own internal security assessment and penetration-testing teams, the likelihood is increasing that next-generation professional security researchers will have the time to uncover security flaws within these previously inaccessible enterprise application platforms.

Don't be surprised if over the next year individual researchers start publishing high volumes of vulnerabilities in previously "secure" applications and platforms such as SAP, OS/400, Tivoli, Great Plains or even Blackberry.

Let's just hope that these researchers follow responsible disclosure guidelines.

Gunter Ollmann is director of X-Force, Internet Security Systems