Open Source Platforms Arrive On IBM's Most Vulnerable List
IBM Internet Security Systems is out with its X-Force 2008 Mid-Year Trend Statistics report. This is an extremely exhaustive look at security vulnerabilities in both proprietary and open source software. It highlights trends in malware and phishing, and ranks vendors, open source projects, and even languages by security breach disclosures. With the rise of open source software, including much more adoption in enterprises, it's no surprise to see some open source platforms arrive on the top ten most vulnerable list, including one in second place, sandwiched between Apple and Microsoft. Which open source projects qualified--for the first time?
The IBM study used a new standard to classify vulnerabilities by vendor and project this year: CPE, or Common Platform Enumeration. According to the study's authors:
"This new methodology plus some changes in the vulnerability
landscape has brought some newcomers to our top ten list: Joomla!, an open-source content management system for web sites,"...and..."Drupal, another open-source content management system for web sites."
WordPress, by the way, is also on the top ten list for the first time. "An obvious trend demonstrated by the appearance of these vendors on the top ten list is the increasing prevalence of web-related vulnerabilities," say the study's authors. In other words, hackers and phishers have their eyes on web-based targets more than ever before, so it follows that popular content management systems would pop up.
Then there's this nugget:
"Another commonality between these three vendors is that they are all written in PHP. If we look back over last year’s disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list."
The top ten most vulnerable vendors/projects are ranked by "disclosures," which refers to them disclosing the largest number of security vulnerabilities. It's also worth noting that Linux is on the top ten list--barely. Here's how the list looks, and there is more in the IBM report: