There’s an exhaustive new security report out from IBM Internet Security Systems: the X-Force 2008 Mid-Year Trend Statistics report. We’ve analyzed it over on the OStatic blog from the perspective of several open source platforms arriving on the “most vulnerability disclosures” list for the first time, and web workers will find quite a few points of interest in the report too.
The X-Force report tracks trends in malware, phishing, most vulnerable software vendors, and even vulnerable development languages. One of the big themes to jump out of this year’s report is that common platforms for creating content on the web, as well as web sites themselves, pose increasing security threats.
Bloggers and other users of WordPress may be interested to know that it arrived on the X-Force top ten list of highest number of security vulnerability disclosures for the first time, in the number nine spot. If you thought Microsoft would be the software provider making the most security vulnerability disclosures of any vendor, think again. Apple tops the list, and Microsoft is in third place.
The Linux community often touts Linux as far more secure than other operating systems, but it shows up at number 10 on the list. The Joomla! and Drupal open source content management systems are also on the list, with Joomla! in second place, above Microsoft.
The report also notes that Joomla!, Drupal and WordPress are all written in PHP, and that PHP itself is very high on the list of vulnerability disclosures. Virtualization vulnerabilities are also cited as rapidly growing.
The United States tops the report’s list of countries of origin for phishing messages, with South Korea a close second. Here’s an interesting statistic on phishing: In the report’s list of most popular subject lines for phishing messages, PayPal is found in six out of 10 of the top ten subject lines. United States banks topped the list of companies most targeted by phishers.
There are quite a lot of interesting data points and graphics in the report. Of course, anytime you’re evaluating vendor-supplied security data, it is worth keeping an eye on whether the supplier is pushing its own agenda. In the case of the IBM report, though, a lot of the data is easily verifiable. For example, the number of published vulnerability disclosures by individual vendors is completely verifiable–because they’re published. Keeping that thought in mind regarding this report, It’s worth a look.