The chief technologist at Symantec said the number of new software vulnerabilities being found is leveling off, but that he thinks an increase could be imminent.
Speaking to reporters this week, Rob Clyde said that the industry is averaging 53 vulnerabilities per week in 2004. That’s an increase of just three on last year, but up from a mere 10 vulnerabilities a week five years ago, he said.
We’ve been kind of hitting a plateau in the last couple of years, Clyde said. However, he added: I think we’re at a knee in the curve and we’re going to see a big jump.
This rise in vulnerabilities, he said, could come from the introduction of new operating systems, applications, and the urge by vendors to quickly introduce more features into their software.
Of course, not all users are affected by all vulnerabilities. Still, the average business is affected by 10 to 15 vulnerabilities per week, he said. Patching all of these immediately is not practical or even safe, he said.
The emergence of software that scans code for potential vulnerabilities is not going to eradicate the problem, Clyde said. The industry is very much in its infancy in that area, he said. We’re at about the same stage as we are eradicating cancer.
Early efforts at vulnerability scanning were inadequate, he said, not catching enough vulnerabilities, and providing too many false positives, which reduced confidence in the technology.
We’ve only recently started to get the tools that when it tells you there’s a problem there really is a problem, he said. I don’t believe this will be solved in the next couple of decades.
Symantec earlier this week released its first intrusion prevention system for internal networks, and Clyde said that the key technologies going forward will be those that protect vulnerabilities, rather than just blocking exploits.
We’re finding a need for more focus on proactive areas, things that can slow down and stop these attacks, he said, pointing to behavioral blocking, protocol anomaly detection and generic exploit blocking as key areas.
Many of the threats will go away, but new ones will emerge. Bad guys are as adaptable as any of us, they will find new ways to break systems, he said. This will be never-ending.