Wysopal says tipping point reached...

[coley at linus.mitre.org (Steven M. Christey)]

On Tue, 4 Nov 2008, Benjamin Tomhave wrote:

> An interesting read. Not much to really argue with, I don't think.
> http://www.veracode.com/blog/2008/11/we%e2%80%99ve-reached-the-application-security-tipping-point/

Agree.  But, just to bolster (if it's relevant) I'll expand on my comment
to that blog post:

While we have not done a similar analysis in CVE, I believe that ISS'
statistics are valid based on what we are seeing.

Further, for the OS software vendors, the types of vulnerabilities are
often unusual (e.g. use-after-free, missing initialization) or very
difficult to find and exploit.  This suggests a significant difference
between the level of security at the OS level versus the application
level.  Generally speaking, of course.  (See the 2006 CVE vulnerability
trends for further proof of differences between OS and application stats;
yes, we'll be updating those stats for 2007/2008).

- Steve

P.S. the Veracode blog post generated 6 W3C validation errors, so it's
more authoritative than some other web pages.  Sorry if this joke doesn't
register with people, I forget which mailing list people will find this
postscript semi-hilarious/semi-cynical in.