Secure Coding mailing list archives
Vulnerability tallies surged in 2006 | The Register
From: dinis at ddplus.net (Dinis Cruz)
Date: Wed, 24 Jan 2007 10:54:38 +0000
You also are not taking into account the number of vulnerabilities that are discovered by security consultants under NDA which are never published. I have lost the count on the number of vulnerabilities (at the time zero-days) that I have discovered in commercial software and where never published (and in some cases even patched or communicated to their clients/users). And when talking to my peers, I would estimate that if these vulnerabilities discovered under NDAs where reported, the number below would be much, much, much bigger. Maybe one day when companies are forced (by law) to disclose the vulnerabilities that they know exist in their products (maybe in a format similar to http://research.eeye.com/html/advisories/upcoming/), we will have a good picture of what is really going on. Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 1/24/07, pete werner <peter.werner at gmail.com> wrote:
This strikes me as largely meaningless, bordering on good news. More bugs found = more bugs fixed = more secure software. I dont really think you can compare the numbers from 2001 and 2006 though. There's way more people looking for bugs now than there were in 2001. Maybe there were more bugs around in 2001 as secure coding practises still weren't well known, and security was nowhere as mainstream as it is now, so your average developer was less aware of secure coding practises and techniques. Also, nowadays people rush to disclose vulnerabilites, no matter how minor they may be. There were plenty of vulnerabilites discovered in 2001 that weren't publicly disclosed, and some that probably still remain undisclosed. I would be interested to see what conclusions you can actually draw from these figures (really). On 1/23/07, Kenneth Van Wyk <ken at krvw.com> wrote:FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35% increase over 2005. See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/ The article further states, "The greatest factor in the skyrocketingnumberof vulnerabilities is that certain types of flaws in community and commercial Web applications have become much easier to find, said Art Manion, vulnerability team lead for the CERT Coordination Center. 'The best we can figure, most of the growth is due to fairly easy-to-discover vulnerabilities in Web applications," Manion said."Theyare easy to find, easy to create, and easy to deploy.'" Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)as a free, non-commercial service to the software security community. ______________________________________________________________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070124/262d7366/attachment.html
Current thread:
- Vulnerability tallies surged in 2006 | The Register Kenneth Van Wyk (Jan 22)
- Vulnerability tallies surged in 2006 | The Register Benjamin Tomhave (Jan 22)
- Vulnerability tallies surged in 2006 | The Register Wall, Kevin (Jan 22)
- Vulnerability tallies surged in 2006 | The Register pete werner (Jan 23)
- Vulnerability tallies surged in 2006 | The Register Dinis Cruz (Jan 24)
- Vulnerability tallies surged in 2006 | The Register Benjamin Tomhave (Jan 22)