The latest SIR is available now from Microsoft. You can find it here: http://www.microsoft.com/security/sir/default.aspx
Industry wide vulnerabilities continue their downward trend. However High Complexity vulnerabilities rose a bit ( http://www.microsoft.com/security/sir/keyfindings/default.aspx#section_4_1_3 ). Is this a good thing? Maybe. Low and medium vulnerabilities continued downward, this means that common easy to attack vulnerabilities such as XSS and SQL Injection are on a downward trend. The trick though is that complex vulnerabilities requiring a high level of attacker skill are rising. This indicates that general code and app scanning mechanisms are being used more in development efforts to identify and remove the low hanging fruit. But there is still a problem with non-tool identifiable bugs getting through.
So while we seem to be taking better advantage of security tooling, which is indicated in the reduced application focused vulnerabilities (http://www.microsoft.com/security/sir/keyfindings/default.aspx#section_4_1_4) we aren’t doing enough in the manual code reviews and the comprehensive understanding of security isn’t being applied as deeply as it should.
For malware infected and plain old malicious sites, China leads the world by a huge margin.
One of the most encouraging trends though is the decline in security breaches. While negligent breaches (lost laptops, theft, emails to World.All etc) are still far more common than intentional attacks they have come down dramatically in recent history. This indicates that the message is finally getting out and that organisations are starting to get a grip on security policies and how to promote and enforce them. But the easiest way and largest cause of these is still Theft. It’s easier to steal a company laptop and get the data from it than it is to break in. Sometimes these thefts are just for black market resale of the hardware itself, but some are for information gathering. In any event, it presents a strong case for full volume encryption mechanisms such as BitLocker.
Enjoy the report!