Popularity makes blemishes in software applications all too conspicuous, but by then, it is too late: customer exposure outstrips defensive measures.
As the Firefox web browser increased in popularity from 2004, so did customers' exposure - specifically, latent security defects were discovered at an accelerated rate, dramatically increasing customer risk. The graph below illustrates the rise of disclosed vulnerabilities in Firefox linked to market share (as reported by W3Schools).
In 2004, security experts recommended switching away from Internet Explorer to "more secure" browsers like Firefox. In retrospect, the stated reasons for switching were deeply flawed; the results, unsurprising.
By the first half of 2009, Firefox experienced a 594% increase in discovered vulnerabilities. Cenzic, an application security vendor, reported Firefox led the pack in total browser vulnerabilities, accounting for 44 percent (Apple came in at 35%, IE at 15%, and Opera at 6%).
The graph above suggests that security is not part of the popularity contest; that is, security is highly decoupled from other competitive market pressures and thus emergent software manufacturers can under-supply software security without fearing customer backlash. Customers cannot "see" security - or an under-supply thereof - and thus cannot accurately price associated risks prior to acquisition.
This is a distortion in the market that should be corrected.
It seems like a bad idea to just use the number of disclosed vulnerabilities to draw a conclusion as to how "secure" a product is. I think that it is very important to point out that the report mentioned above did not look at the severity of the vulnerabilities in question, or how quickly they were patched. I do agree with you that the rise in the number of reported seems correlated to the browser's rise in popularity. Which, to me, makes perfect sense that it would come under greater scrutiny as more people used it.
Posted by: Andrew F | August 17, 2010 at 01:43 PM
I agree with Andrew. Also, this doesn't mean that the product is poor engineered or doesn't have a proprer QA process - The larger the project, the bigger the inherent complexity and inner functioning, and if the mechanism is more complex, it's harder to scrutiny and cover the software failures.
When I read these reports, I often think that the reporting company fails at seeing these aspects and at exposing them in a proper way.
Posted by: Manu | August 25, 2010 at 12:40 PM