IBM Internet Security Systems published it's X-Force 2008 Mid-Year Trend Statistics report and immediately everyone is going through the roof, publishing scary and sensational headlines about Drupal, Wordpress and Joomla! being vulnerable.
The report
What everybody got so upset about, is the following table of Vendors with the Most Vulnerability Disclosures:
| Ranking | Vendor | Disclosures |
|---|---|---|
| 1. | Apple | 3.2% |
| 2. | Joomla! | 2.7% |
| 3. | Microsoft | 2.5% |
| 4. | IBM | 2.3% |
| 5. | Sun | 1.9% |
| 6. | Oracle | 1.4% |
| 7. | Cisco | 1.4% |
| 8. | Drupal | 1.2% |
| 9. | WordPress | 1.1% |
| 10. | Linux | 1.0% |
Time to lock all doors and windows and go back to good ol' static html? Yes, if you believe some bloggers. But take a closer look: the table lists vendors with the most vulnerability disclosures. It doesn't list the most vulnerable vendors, and there's a huge difference. Chances are that the vendors that didn't make the top ten are actually more vulnerable, but simply have less disclosures. The more people use code and look at it, the more issues will be discovered. That's why only big names get in the top ten. Joomla! and Drupal are always very quick with security patches, so there's really no need to panic.
A real world example
It reminds me of the Belgian dioxine affair a couple of years back. Some eggs and chickens were discovered to contain the toxic dioxine. The press and the public opinion went insane, there was a huge political crisis, and 7 million chickens were destroyed. When it finally blew over, it turned out the dose was less than 100mg and no direct threat to public health. And nobody seemed to get that it was actually good news: If the Belgian food inspection can detect such small amounts of toxics, we can be pretty reassured that our food is safe. The same thing goes for Joomla!: if many issues are discovered and dealt with, the result is an application we can trust.
