Secunia vulnerability report questioned by experts

[InfoSec News <alerts () infosecnews org>]

http://blogs.csoonline.com/security-industry/3082/secunia-vulnerability-report-questioned-experts

By Steve Ragan
Salted Hash
CSO Online
March 19, 2014

On Tuesday, the OSVDB project outlined various problems with Secunia's 
annual vulnerability report, including instances where Secunia counted 
vulnerabilities multiple times, or under-reported them. The project also 
took issue with how Secunia classified third-party products, which the 
Copenhagen-based firm says are non-Microsoft programs, a definition that 
isn't shared by a majority of the security community.

  "In the world of VDBs, we frequently refer to a third-party component a
  'library' that is integrated into a bigger package," the post explains.

  "The notion that “non-Microsoft” software is “third-party” is very weird
  for lack of better words, and shows the mindset and perspective of
  Secunia. This completely discounts users of Apple, Linux, VMs (e.g.
  Oracle, VMware, Citrix), and mobile devices among others. Such a
  Microsoft-centric report should clearly be labeled as such, not as a
  general vulnerability report."

The project acknowledged that their observations may be biased, as they 
are a direct competitor to Secunia due to the involvement of their 
commercial partner Risk Based Security (RBS) - but after looking at the 
source data, it's hard to ignore the numbers.

To begin with, when examining the opening totals from Secunia, the OSVDB 
project says they are "incorrect and entirely misleading."

[...]

--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/