A vulnerability disclosure that came out today, made me wonder if there is a between vulnerability disclosures and the Hype Curve. Roi Saltzman from the IBM Application Security Research team posted “Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps” at the Application Security Insider blog. Seeing the detailed description of how the vulnerabilities can be exploited on the mobile versions of DropBox and Google Drive really opened my eyes. I always think of cross site scripting as being a problem that exploits both weakness in the application and in the browser. But I don’t tend to think of this type of problem beyond the desktop. As Roi Saltzman points out:
“Cross-Zone Scripting was once quite common in Desktop environments until it was mitigated by browser vendors. Unfortunately, this vulnerability type has been carried on to the Mobile world, where it is still a threat. As always, it is interesting to see how old vulnerabilities sneak up to new products.”
In fact, the most recent release of the IBM X-Force 2012 Mid-year Trend and Risk Report notes that:
“Over 51% of all web application vulnerabilities reported so far in 2012 are now categorized as cross-site scripting.”
The trend is still increasing:
It made me wonder of application platforms can be evaluated against the Hype Curve just like any other technology. The short answer is yes, of course. The Hype Curve can be applied to any sort of new/emerging technology. I don’t know if Gartner has ever published a Hype Curve specifically devoted to application platforms but I think it would be interesting to see. TN3270 screens would be way way to the extreme far end, thoroughly into the Plateau of Productivity. Web browsers? Possible into the Plateau, but I’d have to say more likely in the “slope of enlightenment phase.” They haven’t reached the point where we no longer have to think about them, but they are getting there. But where are mobile application platforms on the Hype Curve? I gotta go with “Peak Of Inflated Expectations.” Just like everyone wanted a web version of their application back during the “client-server” revolution, today everyone wants a mobile interface for their app. Makes sense given the growth of mobile-based web traffic.
Mobile Platform Vulnerability Disclosure and the Hype Curve
But at the same time mobile vulnerability disclosures are still going up and yesterday’s problems in the desktop browser space are becoming today’s nightmare on the phone. It made me wonder of vulnerability disclosures can be used as a leading indicator/predictor of where a platform falls on the Hype Curve. Does the platform hit its peak of inflated expectations when the vulnerability disclosures hit a certain threshold? Does a platform start digging its way out of the trough of disillusionment when the rate of disclosures falls below a certain rate?
I don’t have the data to create an overlay, but I’d be willing to bet that a big part of where a platform falls on the hype curve is directly related to the rate of vulnerability disclosures for it. One things for sure, it shows a crying need for mobile development tools like IBM Worklight.