Security News

Phishers represent over half of all web-based threats.

Security response team says there is no vulnerability in IIS 6.0.

Matt Olney and I spoke about the role of a Product Security Incident Response Team (PSIRT) at my SANS Incident Detection Summit this month. I asked if he would share his thoughts on how software vendors should handle vulnerability discovery in their software products.

I am really pleased to report that Matt wrote a thorough, public blog post titled Matt’s Guide to Vendor Response. Every software vendor must read and heed this post. “Software vendor” includes any company that sells a product that runs software, whether it is a PC, mobile device, or a hardware platform executing firmware. Hmm, that includes just about everyone these days, except the little old ladies selling fabric at the hobby store.

Seriously, let’s make 2010 the year of the PSIRT — the year companies make dealing with vulnerabilities in their software an operational priority. I’m not talking about “building security in” — that’s been going on for a while. Until I can visit a variation of company.com/psirt, I’m not satisfied. For that matter, I’d like to see company.com/cirt as well, so outsiders can contact a company that might be inadvertently causing trouble for Internet users. (And yes, if you’re wondering, we’re working on both at my company!)

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

It’s that time of year again: the time at which all sorts of organizations put together lists naming the best and worst things they’ve seen over the past 12 months. Below, you’ll find out what Forbes and iDefense determined to be very much in the “worst” category, as they got together to name “The Year’s Most-Hacked Software.”

2009’s “Most-Hacked Software” Named

The big non-award goes to Adobe Reader. A whopping 45 bugs were found in it, which obviously isn’t great, averaging out to about one per week. Microsoft’s Internet Explorer came in second place with a better – but still not good – 30 bugs.

Next up is what may be a more surprising pick in the form of Mozilla Firefox. It was plagued by 102 bugs. Just don’t try to perform an apples-to-apples comparison with other contenders, since the open source nature of Firefox means that all of its issues are discussed in public.

Then we go back to Adobe with Adobe Flash. Apple Quicktime followed. Microsoft Office was next, and finally, Windows wrapped up the list.

Perhaps this naming and shaming will encourage companies to do a better job of making their products safe. If not, at least it acts to provide security vendors and individuals with a little more information.