Increasing Complexity of Attacks Heighten Demand for Vulnerability Information

Business Wire, August 2, 2007

DUBLIN, Ireland -- Research and Markets (http://www.researchandmarkets.com/reports/c64680) has announced the addition of the Frost & Sullivan report "Q1 2007 World Vulnerability Research Markets" to their offering.

The Frost & Sullivan research titled Q1-2007 World Vulnerability Research Markets examines the entire vulnerability research market including educational, corporate, and individual participants, providing in-depth analysis and insightful perspectives.

Network and communication technology is the backbone of business all over the world and yet the value of such systems is largely underestimated until they come under attack. Past attacks have shown that the consequences of inadequate protection can be dire, often resulting in the loss of billions of dollars in revenues over the years. Malicious researchers have realized the monetary value of unpatched security vulnerabilities and are racing to find new vulnerabilities. Consequently, there is now a very real demand for the vulnerability information, essential for the prevention of such attacks. Accordingly, companies that have aligned their business strategy have gained a strong competitive advantage and are emerging as leaders in the world market for vulnerability research.

Interestingly, vulnerability compensation programs have reignited a great deal of debate in recent months. This was sparked primarily by the CanSecWestcontest in which TippingPoint paid a researcher for the discovery of a zero-day exploit. "While supporters claim that compensation programs facilitate the exchange of information between independent researchers and software vendors, critics assert that vulnerability compensation programs create an environment that promotes a mercenary attitude amongst researchers, thereby harming the market as a whole," notes the analyst of this research service. "TippingPoint and iDefense are the best known vulnerability compensation programs, and both claim to deal only with reputable sources and act in a responsible manner."

Trend toward Reporting only Critical Vulnerabilities

Quite significantly, there is a huge difference between the numbers of critical vulnerabilities reported compared to the number of low- or medium-rated vulnerabilities - strengthening the idea that there is more prestige associated with reporting a critical vulnerability. This is dangerous as there is a trend in exploitation, where hackers are combining less critical vulnerabilities to gain access to a network. Simultaneously, the number of vulnerabilities reported by software vendors is shrinking. Frost & Sullivan believes that this shows that software vendors are likely to develop a patch, but not report the vulnerability to the computer emergency response team (CERT). However, this may also suggest a lack of product testing by software vendors.

With regard to operating systems, Microsoft is the largest target for hackers because it still boasts of the most prevalent operating systems (more than 90 percent of desktops and 35 percent of servers). Due to this, Microsoft is affected by the highest number vulnerabilities, twice as many as Apple. Linux systems were a close second in this regard. Among Web browsers, IE and Opera both have strictly critical vulnerabilities, while Firefox has a more even spread of low, medium, and high risk vulnerabilities. Individual researchers are responsible for the majority of the disclosed vulnerabilities in Mozilla products. "Overall, TippingPoint is currently on track to disclose far more vulnerabilities than last year, with more than twice as many disclosures as Q1 of 2006," says the analyst. "Likewise, VeriSign, Secunia, IBM Internet Security Systems, and McAfee are also on pace to disclose more vulnerabilities than last year."

For more information visit http://www.researchandmarkets.com/reports/c64680