The number of reported security flaws jumped for the second year in a row in 2006. So says CERT, the Computer Emergency Response Team.
CERT said 8,064 vulnerabilities were reported last year, up from 5,990 in 2005. Much of the increase was accounted for by bugs turned up in web applications, which are becoming more widely used by individuals and businesses alike. The number of vulnerability notes published by CERT also rose: to 422 in 2006 from 285 the previous year.
Increases of a similar proportion were reported in other vulnerability databases, including the National Vulnerability Database, the Open-Source Vulnerability Database and the Symantec Vulnerability Database, according to Security Focus, part of Symantec. Symantec said that in the first half of 2006, more than three-quarters of the bugs reported affected web applications.
CERT said the trend partly reflects the growing ease with which vulnerabilities can be spotted, for instance using code search tools such as the one Google launched recently. In addition, the applications affected are not necessarily a direct threat to enterprises, often being used more by small businesses or individuals.
However, the figures reflect a real increase in the proliferation – and vulnerability – of web applications, CERT said. Such dramatic increases are not a long-standing feature of the IT landscape. After nearly doubling in 2003 to 4,129, the number of vulnerabilities reported to CERT dropped to 3,784 in 2004 and held almost exactly steady in 2005, before rising again.