Booming numbers of security researchers are uncovering so many flaws that vendors are finding it almost impossible to patch them all in a reasonable timeframe, the latest SANS report has found.

This paradox is one of a number of findings contained in the Top Cyber Security Risks report, which the organisation now plans to publish twice yearly in association with data provided by customers of partners TippingPoint and Qualys, upgrading the annual reports it has produced for some years.

More researchers hunting for flaws should be a good thing, but the report for March to August 2009 suggests that this has created logistical problems for an industry that is still heavily focused on adding features and product enhancement as its main priority.

Attackers now look to undermine systems through application vulnerabilities, with server-side and OS flaws declining in significance. Simultaneously, legitimate researchers have started finding the same types of flaws, which has caught some vendors in a pincer of malicious attacks and honest disclosures they often don't seem to have allocated the resources to deal with.

"There is a corresponding shortage of highly skilled vulnerability researchers working for government and software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks," note the report's authors.

The applications being attacked are significant in that they probably live on almost every PC in the world. The leading culprits identified by SANS are Microsoft's Office, Adobe's Acrobat Reader and Flash programs, and Sun's Java, and the various browsers in which such program often run as plug-ins. Apple's Quicktime is another rising vulnerability star notable because it is popular across more than one operating system.

The arithmetic is daunting. More flaws, including zero day flaws, are being are being discovered in software that is ubiquitous, which has led to increased patching times. This is partly to do with the time it takes to produce a patch and partly down to organisations misunderstanding the risk of app flaws and taking too long to apply patches.

"On average, major organisations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk," says the report.

According to Wolfgang Kandek of Qualys, one of the major contributors to the SANS data, a third issue was how to roll out security updates to consumer PCs in an efficient way..

"The problem today is that it is splintered on six [or more] different updaters." Just coping with application patching on a single PC had become a major challenge, he said, which suggested a new integrated mechanism was needed to make patching more seamless. Kandek praised Google's Chrome browser, where patching happened transparently and without user intervention, as a model for the future.

"It can be quite challenging if you are focused on development to understand that software gets abused."
The issue of patching cycles and patch application is already well-discussed by Qualys's own annual Laws of Vulnerability report, so the latest blast from SANS says nothing organisations shouldn't already be aware of.

The bigger lesson is for software vendors, which need to employ more researchers of their own and more people to relate their discoveries to the complex process of patching vulnerable apps. Microsoft has done a lot of hard work in this area with its much-vaunted Software Development Lifecycle (SDL), which is supposed to have changed the way apps get written from the first line of code. Others have much work to do - Adobe take note.