The other day, I read a comment in an article that said something like, “this latest break-in should serve as a wake-up call to the banks.”

I laughed at this statement, of course, because of all the times I’ve read something just like it, but without any real indications that anyone actually had “woken up.” It's as though someone just keeps hitting the metaphorical snooze button — and not just at the banks.

So that was exactly what went through my mind when I recently read some statistics from ISS that predicted we’d see some 7,500 published software vulnerabilities this year, a 41% increase over last year. That old snooze button is seeming way too convenient.

More Ken van Wyk Columns
The Rise of Patch Vigilantism

Don't Ignore Device-Driver Dangers

Getting to the Root of Rootkits

IT Must Help Developers Build in Security

Let's Practice What We Preach

But then I thought about these numbers a bit more, and I think the answer isn’t all that simple. Yeah, anyone who reads this column from time to time has probably heard me complain about how bad the general state of software security is these days. We clearly need to make some significant and fundamental changes there, but there’s more to it than that.

For one thing, for a 41% increase in published software vulnerabilities to exist at all means there must be some big forces in play. Case in point: If the people who look for software vulnerabilities continue to do their work at more or less a status quo level, then there’d have to be a corresponding 41% increase in the amount of software out there, right? Or, there are 41% more people looking for vulnerabilities. Or something in between. That stands to reason.

Assuming we didn’t see an overall increase of 41% in the amount of deployed unique software out there in a single year, then it seems logical that somehow we’re looking for the weakness differently. More “researchers” out there looking for weaknesses, perhaps? But that explanation falls short in my view.

A far more realistic conclusion regards the shift in profit motive that we’ve seen in the past three (or so) years. Phishing, Trojan horses and other malware are like the great white sharks in the ocean, constantly looking for new as-yet undiscovered vulnerabilities to exploit. Their appetite for these nasties is endless. Indeed, it is their livelihood — however ill-conceived and illegal — at stake.