Community criticises security firm's vulnerability report
Broad-brush statements made by security vendor Cenzik in its "Web Application Security Trends Report" have sparked considerable resentment among members of the security community. Particularly the statement that Firefox leads the field of popular browsers and accounts for 44 per cent of all vulnerabilities, while Internet Explorer reportedly only contributes 15 per cent, has rekindled the inevitable discussion about "comparing apples and oranges". While Cenzik doesn't explicitly state that the open source browser is less secure than other browsers, the report fails to explain the figures given – leaving plenty of room for interpretation.
With Cenzik reporting Safari's as having a 35 per cent share in the vulnerability pie, the Apple fan base is also likely to feel offended – a more thorough perusal of the 29-page report, however, reveals that the majority of the reported Safari vulnerabilities relate to the iPhone version of Safari and not the desktop version of the browser. The Mozilla Foundation generally thinks that simply adding up product vulnerabilities creates an inconclusive picture, and has repeatedly criticised reports released by other security firms and vendors in this regard. Mozilla say that to accurately measure a browser's security, the exploitability and level of danger as well as the time from a hole's detection to its closure, also need to be considered.
Microsoft has recently expressed a similar opinion, at least in terms of the exploitability of holes, to that of the Mozilla Foundation. According to Steve Lippner of the Trustworthy Computing Group, the major successes of the Security Development Lifecycle (SDL) include both preventing software vulnerabilities and making holes in recent product versions far more difficult to exploit. The CTO of Secunia, who make detailed notes on all the software vulnerabilities reported, has also criticised the figures without annotations. He said, for a proper comparison, an evaluation also needs to include how fast updates become available and how easy it is to install them. He added, the safe integration of add-ons and plug-ins is another factor.
Cenzik's report also includes other figures concerning web applications: The number of disclosed vulnerabilities has reportedly risen by 10 per cent to almost 3,100 in Q2 of 2009 compared to Q1. Cenzik say that overall, the problems with cross-site scripting, SQL injection, session management, click-jacking and similar vulnerabilities account for almost three quarters of all the security holes reported.