IBM's X-Force Security Report Details Security Trends


There’s an exhaustive new security report out from IBM Internet Security Systems: the X-Force 2008 Mid-Year Trend Statistics report. We’ve analyzed it over on the OStatic blog from the perspective of several open source platforms arriving on the “most vulnerability disclosures” list for the first time, and web workers will find quite a few points of interest in the report too.

The X-Force report tracks trends in malware, phishing, most vulnerable software vendors, and even vulnerable development languages. One of the big themes to jump out of this year’s report is that common platforms for creating content on the web, as well as web sites themselves, pose increasing security threats.

Bloggers and other users of WordPress may be interested to know that it arrived on the X-Force top ten list of highest number of security vulnerability disclosures for the first time, in the number nine spot. If you thought Microsoft would be the software provider making the most security vulnerability disclosures of any vendor, think again. Apple tops the list, and Microsoft is in third place.

The Linux community often touts Linux as far more secure than other operating systems, but it shows up at number 10 on the list. The Joomla! and Drupal open source content management systems are also on the list, with Joomla! in second place, above Microsoft.

The report also notes that Joomla!, Drupal and WordPress are all written in PHP, and that PHP itself is very high on the list of vulnerability disclosures.  Virtualization vulnerabilities are also cited as rapidly growing.

The United States tops the report’s list of countries of origin for phishing messages, with South Korea a close second. Here’s an interesting statistic on phishing: In the report’s list of most popular subject lines for phishing messages, PayPal is found in six out of 10 of the top ten subject lines. United States banks topped the list of companies most targeted by phishers.

There are quite a lot of interesting data points and graphics in the report. Of course, anytime you’re evaluating vendor-supplied security data, it is worth keeping an eye on whether the supplier is pushing its own agenda. In the case of the IBM report, though, a lot of the data is easily verifiable. For example, the number of published vulnerability disclosures by individual vendors is completely verifiable–because they’re published. Keeping that thought in mind regarding this report,  It’s worth a look.


Cole Markoff

I dispise the phishing emails they appear to get more desperate by the day I get two or three everyday and submit them to phishtrackers a site I recently found that allows you to report them anonymously.


I would also be curious to find out if there were distinctions made between the core application and extensions. I see Joomla extensions show up all the time on watch lists because of sql injection vulnerabilities, etc. I suspect those numbers may be inflated because of weaknesses in peripheral software.

Rob Clayburn

completely agree with harlan. I skimmed the report but didnt see any mention of how quickly any explots were fixed, which to me is a pretty relevant piece of info


So just to be clear, a product with scads of undisclosed vulnerabilities appears better in this study than one which quickly and openly deals with its problems. It’s hard to measure what you can’t track, but these numbers don’t tell the full story.

Comments are closed.