This information has been shared freely by Mark E.S. Bernard. If you find it useful please
acknowledge this contribution. If you would like additional information or assistance with the
customization and implementation of a balanced risk management process for your security program
then please contact Mark @ 604-349-6557 or firstname.lastname@example.org
This is a follow up to my previous assessment of CyberSecurity Threats and vulnerabilities. To add
more clarity to the assessment of software vulnerabilities the following data was pulled from the
Common Vulnerability and Exposure database. For added context below I have included statistics
from Q1 RedSocks Report on Malware.
I choose a sampling of the top brands and products used in most infrastructures today. I used three
pieces of information for the assessment, the total number of products, total vulnerabilities and total
Not all vulnerabilities have published exploits, but that does not diminish the potential risk
associated with these vulnerabilities in the absence of formal Information Security Management
System. After considering the type of vulnerabilities that exist and the number of products that the
vendor produces we can draw some conclusions regarding their approach to Quality Management,
information security and the protection of the businesses they protect from Cyber Criminals. Some of
these vulnerabilities include Denial of Service, Overflow, Execute Code, Bypass Something, Gain
Information, Gain Privilege, XSS, SQL Injection, Directory Traversal, CSRF, Memory Corruption, and
File Inclusion. Each of these vulnerabilities represents a potential opportunity for Cyber Criminals.
Total Products. Total Vulnerabilities. Total Exploits.
Conclusion: The results speak for themselves, Quality Management does not appear to exist and
consumers and organizations have been forced to take on security risks that should have been
mitigated by the manufacturers and developers. Its time that information security was treated as
important as financial data. Legislation for the quality of products facing the Internet needs to be
imposed to stop the leaking. Governments creating CyberSecurity Armies are wasting their time. If
information security was imposed on software developers and reinforced with regular audits and
certifications CyberSecurity Risks would be dramatically reduced. Businesses would benefit from
building better CyberSecure products by lowering operational risks and increasing market uptake.
I was surprise that only one of the top
5 Enterprise, Resource and Planning
system (ERP) vendors, (SAP), actually
publishes vulnerabilities, I expected to
see all of them. The top five are,
#1.Epicor, #2.Infor, #3.Microsoft
Dynamics, #4.Oracle Financials, and
#5.SAP. What are the others hiding?
I was also surprised to see some of the
top security vendor products listed
with serious deficiencies that
potentially expose customers and
weaken the defense in depth security
architecture that many businesses and
citizens have come to depend upon.
These include CISCO, HP, VMWare,
McAfee, Symantec and Alienvault.
• Detection by Anti-Virus software 6,153,370
• Undetected 2,053,049
• Common Vulnerabilities & Exposures 61,439
• New malicious files 8,206,419