Friday, May 17, 2013
The above graph summarizes the number of entries in the Common Vulnerability and Exposures list, organized by year of creation. This is a list maintained by Mitre (a government funded non-profit research organization), which provides a standard number to all publicly known software vulnerabilities. Each entry summarizes an individual flaw in some piece of software which could allow a compromise of the security of that software.
This data summarizes a complex process and is somewhat hard to interpret. Software vulnerabilities are created by software engineers making mistakes when they write software code. A certain fraction of those mistakes will be "exploitable", meaning that it is possible for a determined attacker to use the logic error to compromise system security. Many such vulnerabilities are unknown - the original engineer didn't realize the existence of his error, and no-one else has ever discovered it either. Some vulnerabilities are known internally at the organization that maintains the software, but not known publicly. Some vulnerabilities become known to some external parties, but not publicly (for example, intelligence agencies have sizeable efforts to discover vulnerabilities for use in espionage, which they do not make public).
A small fraction (probably) of all vulnerabilities become publicly known to the security community, and those generally receive a CVE identifier. As you can see above, this number was growing for a while, but plateaued in the mid 2000s and has been running around 5000-7000 per year.
Vulnerabilities vary widely in their significance. Vulnerabilities in widely used software can be (and are) used extensively in cyber-crime and espionage. Vulnerabilities in critical software could potentially be used to cause crippling cyber-attacks. Vulnerabilities in rare and unimportant software may not matter much. The above graph simply counts all of them.