The 80/20 of Managing Software Risk

I was in a meeting with a large group of security professional today talking about SDL, reducing vulnerabilities, metrics, and so on - my normal topics - and we got into a really interesting discussion about which areas of focus can get the best practical results for operational IT security.

The discussion focused around this question - what percentage of malware infections happen due to:

  • Vulns without patches available ? (aka new vulns)
  • Vulns with patches available, but not applied (unpatched vulns)?
  • Some other vector - mis-configuration, social engineering, etc ?

Anecdotally - let me emphasize that - anecdotally, in our discussion we thought the breakdown was something like this:

  • new vulns - less than 10%
  • vulns with patches not applied - 20-30%
  • other vector (misconfiguration, social engineering, etc) - 60-70%
malwarevector

Let me encourage you to use your own numbers if you don't think that breakdown is right, as I don't think it detracts from the discussion at all.  Let's look at this graphically using the zone-h numbers:

So now, let's think about what this means in terms of product vulnerabilities and products.  The bottom two bars are vulnerability, or software quality, related.  So, when I try to measure vendor progress on security quality or count vulnerabilities, success along those lines only affect the bottom two bars.  The remainder of managing security risk (55%) depends on other factors completely.

malwarevector-edit

But, even without perfect products, look how much of the malware  problem can not be eliminated by improving security quality or reducing vulnerabilities.

This really emphasizes how important other security disciplines are to the goal of protecting computers from malware.  Security management and efforts to make users slightly more clueful jump out as to efforts that could have large impact on operational security.

So, while the importance of these disciplines is by no means a new insight, going through this exercise really puts into things into perspective (for me) with respect to practical security progress in the enterprise.

In the meantime, we should all encourage vendors to work towards those perfect software products to reduce the other two sections as well.

Copyright © 2007 IDG Communications, Inc.

8 pitfalls that undermine security program success