IBM's security group, X-Force, released its 2011 Trend and Risk Report which surveys some 4,000 customers, and the report showed the following:
• Spam out: a 50% decline in spam email compared to 2010.
• Better patching: Only 36% of software vulnerabilities remaining unpatched in 2011 compared to 43% in 2010. Some security vulnerabilities are never patched, but the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years.
• Higher quality of software application code: Web-application vulnerabilities called cross-site scripting (XSS) are half as likely to exist in clients' software as they were four years ago, IBM stated. However, XSS vulnerabilities still appear in about 40% of the applications IBM scans.
• Fewer exploits: When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Approximately 30% fewer exploits were released in 2011 than were seen on average over the past four years.
Of course there is a dark side. These are new security problem trends IBM reported:
• Shell command injection vulnerabilities more than doubled: For years, SQL injection attacks against Web applications have been a popular vector for attackers of all types. SQL injection vulnerabilities allow an attacker to manipulate the database behind a website. As progress has been made to close those vulnerabilities -- the number of SQL injection vulnerabilities in publicly maintained Web applications dropped by 46% in 2011-- some attackers have now started to target shell command injection vulnerabilities instead. These vulnerabilities allow the attacker to execute commands directly on a Web server. Shell command injection attacks rose by two to three times over the course of 2011.