HP: When 'Good' Security News Isn't

HP is just the latest in a long list of security vendors touting its comprehensive cyber security report showing what the most recent threats are, how they’ve changed and--sometimes subtly, sometimes not--how their security technology can protect you. But its study is another illustration of how the tech industry is constantly playing catchup with the criminals. HP’s report also illustrates how seemingly good news can turn out to be bad.

In its just-released 2011 Top Cyber Security Risks Report, the world's largest IT vendor notes that the number of vulnerabilities identified in commercial software in 2011 fell by 20% from 2010, continuing a decline that began in 2006. Good news, right? Software is being designed better and is more secure?

Not quite, says Jennifer Lake, security product marketing manager for DVLabs, a unit within HP that does app vulnerability analysis. Fewer vulnerabilities are being discovered because they are harder to discover. "For a security researcher, finding severe vulnerabilities is not actually that easy," she says, explaining that one factor is that there isn’t enough institutional knowledge of the history of vulnerabilities in commercial software that has been patched.

"What you need is someone who has a specialized knowledge of that application, understands the inner workings and has to be able to go in and say that 'I know if I go in through this door and do this one thing, this is what’s going to happen,'" Lake says. "You have to have a specialized knowledge, which takes more time."

What DVLabs does know about the identified vulnerabilities is that they are getting more dangerous. Of the known vulnerabilities, 24% were rated as level 8-to-10 in severity, she notes.

The notion that seeming success in cyber security is actually contradicted by a greater threat is also evident in a Cisco Systems cyber security report from 2011. It found a steep decline in the number of mass spam or phishing attacks by cyber criminals. But it turns out that cyber thieves had not necessarily learned the error of their ways but had instead found a smarter way to steal.

Given that email filters blocked more spam and that users were getting wise to phishing attacks, the criminals switched to spearfishing--targeted attacks in which personal information is used to trick a person into clicking on a link.These and other changes in the way cyber criminals work show that the burden remains on security experts to try keep up. "We’re constantly in a catchup mode,” says Adam Hils, product manager for the HP security line Fortify, an acquisition from 2010. As enterprises increasingly embrace Web-based applications to run their businesses more productively, efficiently and cost-effectively, those advantages are offset by new security threats. And enterprises sometimes put themselves at risk by not placing a greater emphasis on security.

Just a few weeks ago RSA, EMC's security arm, reported that there was a "troubling lack of attention" to security and privacy risks among directors and top executives. The Carnegie Mellon University CyLab 2012 Governance Survey of Forbes Global 2000 companies revealed that 70% of those surveyed "occasionally, rarely or never" review and approve top-level policies on IT security and privacy; 74% occasionally, rarely or never approve roles and responsibilities for lead personnel for privacy and security; and 64% occasionally, rarely or never approve annual budgets for privacy and security protection.

The HP 2011 security report was based in part on information from the DVLabs (DV stands for Digital Vaccine) Open Source Vulnerability Database (OSVDB), which lists publicly disclosed vulnerabilities in commercial applications. The HP report notes that 36% of vulnerabilities identified in commercial apps are in Web-delivered apps, and that four of the top six vulnerabilities were in Web apps.

HP, through its Fortify and Tipping Point security acquisitions, does both static and dynamic assessments of application vulnerabilities. Static refers to analyzing the code in development and after deployment to identify weaknesses, says Hils, while the dynamic approach takes the point of view of a hacker relentlessly trying to break in. Either way, the challenge of writing protected apps is revealed.

"When you have a Web-facing development team that is responsible for putting out many apps a year and for maintaining legacy apps, and as the threat landscape changes ... it’s a constant battle," he says. "You never quite get to 100% [secure]. For Web app security ... we’re much more in the middle somewhere."

Learn more about Research: Federal Government Cybersecurity Survey by subscribing to Network Computing Pro Reports (free, registration required).