Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is a globally recognized cybersecurity leader, Executive Director of The Monterey Group, a strategic consulting firm, and Consulting Director for Policy Reform at the U.S. Cyber Consequences Unit. Called upon by high-performance organizations for his ability to achieve, integrate, and drive deep corporate objectives in the face of globalized competition, rapid technological advances, and increased sophistication of cyber adversaries, David is a key figure shaping the discussion and practice of cybersecurity.

    Prior to his current roles, David served as an Global Network Vulnerability Analyst for the National Security Agency and Special Duty Cryptologic Officer for the United State Navy. The U.S. government recognized and awarded David for “significant contributions” to the Department of Defense and the National Security Agency for developing security configuration and design guidance for critical national infrastructure and global networks.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« The Meaning of Stuxnet | Main | Defect-O-Meter 2000 to 2010 »

November 09, 2010

Chrome, Pitted

As Google's Chrome web browser increased in popularity from 2008, there was a correlated increase in potential customer exposure.  The graph below illustrates the rise of disclosed vulnerabilities in Chrome linked to market share (as reported by W3Schools).

Chrome_MarketShare_v_Vulnerabilities
 
 

From 2008 to November 2010 Chrome experienced a 1,154% increase in discovered vulnerabilities, far outstripping the rate of discovered vulnerabilities in other emergent browsers such as Firefox (at 594%) by almost a factor of 2.

The graph suggests that weaknesses in software do not appear to dampen customer demand. Chrome market share increased despite an explosion in discovered security defects.

Resilient software is not part of market competition; it is highly decoupled from other competitive variables and thus emergent products tend to under-supply software security without fearing customer backlash. Customers cannot "see" insecurity and thus cannot accurately price associated risks prior to acquisition.

This is a distortion in the market that should be corrected.

Posted on November 09, 2010 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54f9408a3883401348675643b970c

Listed below are links to weblogs that reference Chrome, Pitted:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Bradarkin

Hey David,

The problem with using reported CVE count is that it isn't a good proxy for how secure a product is. My guess is the Google bug bounty program and the rising popularity of the browser account for a lot of the increase. Also, how are CVEs in bundled components like webkit, etc. counted in the CVE stats?

Chrome's security has actually gotten quite a bit better in the past two years despite the increase in CVE count. The fact that no one has bothered to target Chrome in the pwn2own contest the past couple years feels like an indicator that it is more difficult to attack than the frequent browser victims of the contest such as Safari.

Security may not be a key factor users consider when selecting their browser, but I don't think Chrome supports your argument in this case.

Brad

Posted by: Bradarkin | November 09, 2010 at 11:25 AM

Joeri

Also, firefox 1.0 was merely an evolution of the mozilla engine, and chrome is based on webkit. It's difficult to define a "zero" point for these browsers, since there hasn't been a new general-purpose browser engine made in over a decade.

Posted by: Joeri | November 16, 2010 at 12:48 AM

The comments to this entry are closed.