Secure Coding mailing list archives
Wysopal says tipping point reached...
From: coley at linus.mitre.org (Steven M. Christey)
Date: Thu, 6 Nov 2008 01:32:21 -0500 (EST)
On Tue, 4 Nov 2008, Benjamin Tomhave wrote:
An interesting read. Not much to really argue with, I don't think. http://www.veracode.com/blog/2008/11/we%e2%80%99ve-reached-the-application-security-tipping-point/
Agree. But, just to bolster (if it's relevant) I'll expand on my comment to that blog post: While we have not done a similar analysis in CVE, I believe that ISS' statistics are valid based on what we are seeing. Further, for the OS software vendors, the types of vulnerabilities are often unusual (e.g. use-after-free, missing initialization) or very difficult to find and exploit. This suggests a significant difference between the level of security at the OS level versus the application level. Generally speaking, of course. (See the 2006 CVE vulnerability trends for further proof of differences between OS and application stats; yes, we'll be updating those stats for 2007/2008). - Steve P.S. the Veracode blog post generated 6 W3C validation errors, so it's more authoritative than some other web pages. Sorry if this joke doesn't register with people, I forget which mailing list people will find this postscript semi-hilarious/semi-cynical in.
Current thread:
- Wysopal says tipping point reached... Benjamin Tomhave (Nov 04)
- Wysopal says tipping point reached... Steven M. Christey (Nov 05)