News
The Secunia Half Year Report for 2011 is now available
July 2011 by secunia
Secunia, the provider of Vulnerability Intelligence, today announced the release of the Secunia Half Year Report for 2011 which identifies important evolving global trends in end-point security, software, and the entire security ecosystem. Findings in the Secunia Half Year Report 2011 are based on data extracted from Secunia’s Vulnerability Intelligence Database, which uses information about thousands of products and vendors to continuously track vulnerabilities and the state of software security as a whole.
The first part of the report investigates the evolving threat of software portfolios typically found in organisations. Today, cybercriminals bypass traditional perimeter defences by means of the automated mass production of attack variants – thereby initiating an arms race with defenders.
Key findings in this part of the report include:
· Security patches are found to be an effective means to escape the arms race, as they remediate the root cause of compromise.
· Quantifying the dynamics of critical programs in software portfolios of up to 5,000 programs over the last few years identifies an increasing gap of unmitigated risk if the patching strategy covers Microsoft products only.
· Timely patching of the software portfolio of any organisation is like chasing a continually moving target.
· A comparison of different patching strategies under the assumption of limited resources demonstrates that an intelligent patching strategy is an effective approach for reducing vulnerability risks.
· An 80% reduction in risk can be achieved by either patching the 12 most critical or the 37 most prevalent programs in a sample portfolio.
· For the majority of vulnerabilities there are patches available on the day of disclosure, which puts a different perspective on the threat of 0-days.
The second section of the report presents global vulnerability data from the last five years and documents trends on a year-to-year basis as of June 2011. Comparing the data from the last two 12 month periods as of June 2011, as well as the extrapolated trend for 2011 indicates a slow decrease in the global number of vulnerabilities.
Key findings in this part of the report include:
· Despite a slight overall decrease in the total number of vulnerabilities we have seen a significant increase from 24% to 30% for the "System Access" impact class, which is considered the most critical impact class.
· There has been an increase in the number of advisories for which a patch was available at the day of disclosure. The patch "availability rate" has increased from 47% to 55% when comparing the last 12 months with the previous 12 months. This indicates that more researchers are coordinating the disclosure.
· There is currently no patch available for 26% of all advisories released during the past 24 months.
“Reducing cyber-risks with limited resources involves knowing the potential targets, knowing the weaknesses of traditional defences, and knowing where to complement these defences. Secunia’s research demonstrates that knowing what to patch certainly pays off,” says Thomas Kristensen, Chief Security Officer, Secunia.
