Don’t Take Vulnerability Counts At Face Value
A posting from Dark Reading in there Vulnerability Management Section: In 2012, there were 5,291 vulnerabilities documented by security researchers and software firms. Wait, no, make that 8,137. No, 9,184. Well, it could even be 8,168 or 5,281.
In reality, the exact number of vulnerabilities reported in different databases each year varies widely–by as much as 75 percent in 2012. The fundamental problems in counting vulnerabilities, along with the issues assigning a meaningful severity to each vulnerability, means that analyses based on the data should be treated with skepticism, argue two security professionals that plan to outline problems with vulnerability data at Black Hat in Las Vegas later this summer.
Researchers Brian Martin, content manager of the Open Source Vulnerability Database (OSVDB), and Steve Christey, principal information security engineer in the security and information operations division at The MITRE Corporation, say that the goal of their talk is to not only point out unreliable data but also to help people pinpoint what reports are based on such shaky foundations.
To read more click here:
Leave a Reply
Want to join the discussion?Feel free to contribute!