Tag: Rebuttal

  • Response to Kenna Security’s Explanation of the DBIR Vulnerability Mess

    [This was originally published on the OSVDB blog.] Earlier this week, Michael Roytman of Kenna Security wrote a blog with more details about the vulnerability section of the Verizon DBIR report, partially in response to my last blog here questioning how some of the data was generated and the conclusions put forth. The one real […]

  • A Note on the Verizon DBIR 2016 Vulnerabilities Claims

    [This was originally published on the OSVDB blog.] [Updated 4/28/2016] Verizon released their yearly Data Breach Investigations Report (DBIR) and it wasn’t too long before I started getting asked about their “Vulnerabilities” section (page 13). After bringing up some highly questionable points about last year’s report regarding vulnerabilities, several people felt that the report did […]

  • Reviewing the Secunia 2015 Vulnerability Review (A Redux)

    It’s that time of year again! Vulnerability databases whip up reports touting statistics and observations based on their last year of collecting data. It’s understandable, especially for a commercial database, to show why your data source is the best. In the past, we haven’t had a strong desire to whip up a flashy PDF with […]

  • Reviewing the Secunia 2013 Vulnerability Review

    [This was originally published on the OSVDB blog.] On February 26, Secunia released their annual vulnerability report (link to report PDF) summarizing the computer security vulnerabilities they had cataloged over the 2013 calendar year. For those not familiar with their vulnerability database (VDB), we consider them a ‘specialty’ VDB rather than a ‘comprehensive’ VDB (e.g. […]

  • I could do this all day… (Poor vuln stats from @GFISoftware)

    [This was originally published on the OSVDB blog.] Despite the talk given at BlackHat 2013 by Steve Christey and myself, companies continue to produce pedestrian and inaccurate statistics. This batch comes from Cristian Florian at GFI Software and offers little more than confusing and misleading statistics. Florian falls into many of the traps and pitfalls […]

  • An Open Letter to Ashley Carman, @SCMagazine, and @SkyboxSecurity

    [This was originally published on the OSVDB blog.] [Sent to Ashley directly via email. Posting for the rest of the world as yet another example of how vulnerability statistics are typically done poorly. In this case, a company that does not aggregate vulnerabilities themselves, and has no particular expertise in vulnerability metrics weighs in on […]

  • Android versus iOS Security – Not Again…

    [This was originally published on the OSVDB blog.] About two weeks ago, another round of vulnerability stats got passed around. Like others before, it claims to use CVE to compare Apple iOS versus Android in an attempt to establish which is more secure based on “vulnerability counts”. The statistics put forth are basically meaningless, because […]

  • Rebuttal: Cyberwar, Part 73

    [This was originally posted on attrition.org.] This is a rebuttal piece to a series of Tweets by Dan Holden on 2013-03-11 (displayed below). Please note, that @ErrataRob and @DesmondHolden both provided follow-up, which are included below my rebuttal. If you read mine, read theirs. If that isn’t acceptable, navigate away now. I’ve been pretty vocal about my […]

  • CVE Vulnerabilities: How Your Dataset Influences Statistics

    [This was originally published on the OSVDB blog.] Readers may recall that I blogged about a similar topic just over a month ago, in an article titled Advisories != Vulnerabilities, and How It Affects Statistics. In this installment, instead of “advisories”, we have “CVEs” and the inherent problems when using CVE identifiers in the place […]

  • Rebuttal: Worst Anecdote …EVER.

    [This was originally published on attrition.org. This is a rebuttal piece to Worst April Fools’ Joke …EVER. (2010-04-01) by @wh1t3rabbit (Rafal Los).] To kick off this month of colossal “whoops-es” I thought I would tell you guys a story from way, way back when the web was young, and “developers” used notepad to write “web sites”. It was […]