WebApp Sec mailing list archives
Re: Vulnerability statistics
From: Adam Shostack <adam () homeport org>
Date: Fri, 7 Jan 2005 19:10:42 -0500
Interesting work! There's a couple of biases here: 1) Only 'widely deployed' software gets into the CVE. Thus, a bug in say, Hotmail or Google wouldn't make it in, because it's unique. 2) The CVE entries don't give you a scope for each vuln, based on how widespread it is. The CERT Vuln metric includes that information, but it (intentionally) conflates severity with how widespread the target is. Thus, an IE vuln that lets you crash the system would likely get a higher metric than a Galeon vuln that lets you run code. http://www.kb.cert.org/vuls/html/fieldhelp#metric This lack of good information about what really causes security problems makes it hard to do good security work that will help lots of people: Where do you start? I think this is the most pernicious aspect of current attitudes towards disclosure. Get a bunch of security experts in a room with a bottle of scotch, and we've all been hacked. Attack is easier than defense. But we're hesitant to admit to the effect, which is we all get 0wned now and again. Adam On Fri, Jan 07, 2005 at 11:18:41AM -0800, Michael Howard wrote: | I wrote some code to pull down the CVE XML file from cve.mitre.com and | parse the results looking for keywords. This is NOT scientific, but | here's my results: | | Getting stats for 2004 | TotalCount 1339 | isReserved 204 | isRejected 15 | isUnknown 50 | | isBO 296 | isFormatString 33 | isIntOverflow 53 | isSQLinjection 30 | isXSS 73 | isInjection 60 | isTooMuchTrust 119 | isSymlink 49 | isRace 8 | isWeakPermission 13 | | I have yet to analyze the other bugs not in the list above - some of the | bug texts are very vague... | | [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp | [Protect Your PC] http://www.microsoft.com/protect | [Blog] http://blogs.msdn.com/michael_howard | | [On-line Security Training] | http://mste/training/offerings.asp?TrainingID=53074 | | | -----Original Message----- | From: Benjamin Livshits [mailto:livshits () cs stanford edu] | Sent: Thursday, January 06, 2005 1:56 PM | To: webappsec () securityfocus com | Subject: Vulnerability statistics | | Looking at the OWASP's top ten list, are there any recent studies as to | what fraction of vulnerabilities accounts for each of the top ten | categories? | | What about the percentage of vulnerabilities caused by coding errors vs | configuration flaws? | | Thanks, | -Ben |
Current thread:
- RE: Vulnerability statistics Michael Howard (Jan 07)
- Re: Vulnerability statistics Adam Shostack (Jan 08)
- <Possible follow-ups>
- Re: Vulnerability statistics Steven M. Christey (Jan 14)
- RE: Vulnerability statistics Michael Howard (Jan 16)