Vulnerability tallies surged in 2006 | The Register

[dinis at ddplus.net (Dinis Cruz)]

You also are not taking into account the number of vulnerabilities that are
discovered by security consultants under NDA which are never published.

I have lost the count on the number of vulnerabilities (at the time
zero-days) that I have discovered in commercial software and where never
published (and in some cases even patched or communicated to their
clients/users).

And when talking to my peers, I would estimate that if these vulnerabilities
discovered under NDAs where reported, the number below would be much, much,
much bigger.

Maybe one day when companies are forced (by law) to disclose the
vulnerabilities that they know exist in their products (maybe in a format
similar to http://research.eeye.com/html/advisories/upcoming/), we will have
a good picture of what is really going on.

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org

On 1/24/07, pete werner <peter.werner at gmail.com> wrote:
> This strikes me as largely meaningless, bordering on good news. More
> bugs found = more bugs fixed = more secure software.
>
> I dont really think you can compare the numbers from 2001 and 2006
> though. There's way more people looking for bugs now than there were
> in 2001. Maybe there were more bugs around in 2001 as secure coding
> practises still weren't well known, and security was nowhere as
> mainstream as it is now, so your average developer was less aware of
> secure coding practises and techniques.
>
> Also, nowadays people rush to disclose vulnerabilites, no matter how
> minor they may be. There were plenty of vulnerabilites discovered in
> 2001 that weren't publicly disclosed, and some that probably still
> remain undisclosed.
>
> I would be interested to see what conclusions you can actually draw
> from these figures (really).
>
> On 1/23/07, Kenneth Van Wyk <ken at krvw.com> wrote:
> > FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35%
> > increase over 2005.
> >
> > See
> > http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/
> >
> > The article further states, "The greatest factor in the skyrocketing
> number
> > of vulnerabilities is that certain types of flaws in community and
> > commercial Web applications have become much easier to find, said Art
> > Manion, vulnerability team lead for the CERT Coordination Center.
> >
> > 'The best we can figure, most of the growth is due to fairly
> > easy-to-discover vulnerabilities in Web applications," Manion said.
> "They
> > are easy to find, easy to create, and easy to deploy.'"
> >
> > Cheers,
> >
> > Ken
> > -----
> > Kenneth R. van Wyk
> > SC-L Moderator
> > KRvW Associates, LLC
> > http://www.KRvW.com
> >
> >
> >
> >
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L) SC-L at securecoding.org
> > List information, subscriptions, etc -
> > http://krvw.com/mailman/listinfo/sc-l
> > List charter available at -
> > http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC (
> http://www.KRvW.com)
> > as a free, non-commercial service to the software security community.
> > _______________________________________________
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070124/262d7366/attachment.html