At the start of the new year, I did some technical housekeeping, starting new notebooks and such. After looking back through my client notes from 2016, I started to become intrigued with the idea of how software companies were viewed, based on perceived product security and reliability, versus the actual software defects recorded in the CVE repository (Common Vulnerabilities and Exposures).
As a VMware TAM, I receive a lot of direct feedback from clients in the field regarding software quality and security vulnerabilities. VMware is known and regarded for developing some of the most secure and reliable infrastructure software products in the industry today, but I wondered how VMware compared with other software manufactures on a broader spectrum.
Given this inspiration, I researched aggregated CVE data at CVEDetails.com and found exactly what I was looking for. The site tracks product CVEs by manufacturer and has a Top 50 Vendors By Number Of “Distinct” Vulnerabilities. More importantly, the site tracks security vulnerabilities per product, which tells us a little bit more than by manufacturer alone. So, after combing through screens of data for an evening I found some interesting trends.
The first observation was the product with the highest total number of “distinct” vulnerabilities for 2016 was Google Android.
During 2016, security researchers discovered and reported 523 security bugs in Google’s Android OS which put into perspective how much code runs on mobile devices these days. This takeover from the desktop operating systems dominance in this area and demonstrates how large the attack surface of the mobile network is now. The rest of the top 10 list is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).
When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).
Going through the data even further, I started to realize that VMware has done a very good job of product security life-cycle management. Coming in at #30 on the list, VMware had only 3 vulnerabilities per product, by average. Comparatively, Microsoft had 11 vulnerabilities per product during the same span. While this doesn’t mean anything on it’s own, given the relative data, I think everyone can agree that there is a relationship to vulnerabilities per product. After sorting and filtering a bit more, there were three thoughts that became immediately apparent.
First, it’s more important than ever that each software manufacturer is diligent in their social responsibility for product security. Second, regardless of the manufacturer, there is an obvious trend in the rise of CVEs affecting mobile devices which will only increase. And lastly, it would seem that VMware Airwatch is very well positioned for the future.
Feel free to reach out if you have any questions on how VMware Airwatch can help reduce your exposure to operating system and application security defects.
Erik Hinderer has over 17 years of experience in the architectural design and management of mission critical systems and infrastructure. He currently serves as a Technical Account Manager at VMware, focusing on enterprise VMware architecture, design and project leadership for Fortune 100 companies.