Open Source Platforms Arrive On IBM's Most Vulnerable List

by Sam Dean - Jul. 31, 2008Comments (6)

IBM Internet Security Systems is out with its X-Force 2008 Mid-Year Trend Statistics report. This is an extremely exhaustive look at security vulnerabilities in both proprietary and open source software. It highlights trends in malware and phishing, and ranks vendors, open source projects, and even languages by security breach disclosures. With the rise of open source software, including much more adoption in enterprises, it's no surprise to see some open source platforms arrive on the top ten most vulnerable list, including one in second place, sandwiched between Apple and Microsoft. Which open source projects qualified--for the first time?

The IBM study used a new standard to classify vulnerabilities by vendor and project this year: CPE, or Common Platform Enumeration. According to the study's authors:

"This new methodology plus some changes in the vulnerability
landscape has brought some newcomers to our top ten list: Joomla!, an open-source content management system for web sites,"...and..."Drupal, another open-source content management system for web sites."

WordPress, by the way, is also on the top ten list for the first time. "An obvious trend demonstrated by the appearance of these vendors on the top ten list is the increasing prevalence of web-related vulnerabilities," say the study's authors. In other words, hackers and phishers have their eyes on web-based targets more than ever before, so it follows that popular content management systems would pop up.

Then there's this nugget:

"Another commonality between these three vendors is that they are all written in PHP. If we look back over last year’s disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list."

The top ten most vulnerable vendors/projects are ranked by "disclosures," which refers to them disclosing the largest number of security vulnerabilities. It's also worth noting that Linux is on the top ten list--barely. Here's how the list looks, and there is more in the IBM report:

 

 

 



Shailesh Patel uses OStatic to support Open Source, ask and answer questions and stay informed. What about you?



6 Comments
 

Heh heh heh :p

Oh well, time for some XSS attempts :)

testing123

testing456

Look Here!

[IMG]http://ostatic.com/themes/B7/imgs/btn-comment-lg.gif[/IMG]

All for now :)

- Reelix

0 Votes

Well ... this was a little deflating. I do my blogging on Wordpress, and I develop Intranet sites in PHP on Linux from a Mac.

0 Votes

I didn't know what Joomla was until I loooked it up just now. In any event, I'm surprised that from the prolific nature of FOSS systems that there isn't one on the top of the list. This doesn't speak well of FOSS so much as it ridicules everyone else. You have totally mixed and undisciplined groups of people from all backgrounds and educations producing thousands of systems using every different technology available, yet it is news when one of the larger ones shows up to be as insecure as the major commercial offerings. This is an incredible compliment to the open source way of doing things.

0 Votes

Since this report is based on voluntary disclosures of vulnerabilities, and also ranks all vulnerabilities as the same level of risk, it doesn't say much about the real-world security of the systems mentioned. More, it's a reflection of their transparency, how they choose to deal with vulnerabilities, and how active the development is.

You can no more rank vulnerable projects by disclosures than you can rank operating systems by version number, or successful projects by lines of code.

0 Votes

If the list is constructed from voluntary notices of security issues... well, then Apple appears to be the best on the list, giving more warning to its customer base for issues, than either Microsoft, or IBM itself.

0 Votes

"You have totally mixed and undisciplined groups of people from all backgrounds and educations producing thousands of systems using every different technology available, yet it is news when one of the larger ones shows up to be as insecure as the major commercial offerings.!"

Mixed, yes.. from all backgrounds and educations, yes. But "undisciplined" and uncontrolled / not-organized... hell no. FOSS development is far from "code at home and it's in the next version".

0 Votes
Share Your Comments

If you are a member, to have your comment attributed to you. If you are not yet a member, Join OStatic and help the Open Source community by sharing your thoughts, answering user questions and providing reviews and alternatives for projects.


Promote Open Source Knowledge by sharing your thoughts, listing Alternatives and Answering Questions!