Tag: Steven Christey

  • New libssh Vulnerability – No Logo But Plenty Of Attention

    [This was originally published on RiskBasedSecurity.com.] Earlier this week, Andreas Schneider announced the release of a new version of libssh, covering “an important security” that addressed “an authentication bypass vulnerability in the server code”. Pretty quickly we saw several news articles published that covered this issue, as well as third-party blogs that added commentary on the technical side of the vulnerability. Since we were following the…

  • Our New Year Vulnerability “Trends” Prediction!

    [This was originally published on RiskBasedSecurity.com.] Shortly after a year closes out, the industry is treated to dozens of security companies that want to tell you all about vulnerability totals and trends from the previous year. In many cases, the companies offering the predictions are armchair experts of a sorts, who do not aggregate vulnerability…

  • Ruminations on David Weinstein’s “Ruminations on App CVEs”

    [This was originally published on the OSVDB blog.] David Weinstein, a researcher at NowSecure, has posted a blog titled “Ruminations on App CVEs“. Thanks to Will Dormann’s Tweet it came to our attention, and he is correct! We have opinions on this. Quoted material below is from Weinstein’s blog unless otherwise attributed. CVE is well-positioned…

  • Vendors sure like to wave the “coordination” flag… (revisiting the ‘perfect storm’)

    [This was originally published on the OSVDB blog.] I’ve written about coordinated disclosure and the debate around it many times in the past. I like to think that I do so in a way that is above and beyond the usual old debate. This is another blog dedicated to an aspect of “coordinated” disclosure that…

  • SQLi Disclosures and the Last Five Years (Transparent Statistics)

    [This was originally published on the OSVDB blog.] Nothing like waking up to a new article purporting to show vulnerability statistics and having someone ask us for comment. But hey, we love giving additional perspective on such statistics since they are often without proper context and disclaimers. This morning, the new article comes from Help…

  • CVE Is Baffling Some Nights

    [This was originally published on the OSVDB blog.] CVE, managed by MITRE, a ‘sole-source’ government contractor, who gets as much as one million dollars a year from the government (or more) to run the project, is a confusing entity. Researchers who have reached out to CVE for assignment or clarification on current assignments, have gone…

  • howdoireportavuln.com – Good intentions, needs fix-ups though

    [This was originally published on the OSVDB blog.] Tonight, shortly before retiring from a long day of vulnerability import, I caught a tweet mentioning a web site about reporting vulnerabilities. Created on 15-aug-2013 per whois, the footer shows it was written by Fraser Scott, aka @zeroXten on Twitter. http://howdoireportavuln.com/ I love focused web sites that…

  • Buying Into the Bias: Why Vulnerability Statistics Suck [Abstract]

    [This was originally published on the OSVDB blog.] Last week, Steve Christey and I gave a presentation at Black Hat Briefings 2013 in Las Vegas about vulnerability statistics. We submitted a brief whitepaper on the topic, reproduced below, to accompany the slides that are now available. Buying Into the Bias: Why Vulnerability Statistics SuckBy Steve…

  • Buying Into the Bias: Why Vulnerability Statistics Suck [Presentation]

    Steve Christey, the CVE Editor from MITRE, and I gave a presentation at Black Hat Briefings 2013 on the problems we have witnessed over the years with poor vulnerability statistics. Rather than just debunk a handful, which we did, we also went into extensive detail on the different types of bias that ultimately lead to…

  • Android versus iOS Security – Not Again…

    [This was originally published on the OSVDB blog.] About two weeks ago, another round of vulnerability stats got passed around. Like others before, it claims to use CVE to compare Apple iOS versus Android in an attempt to establish which is more secure based on “vulnerability counts”. The statistics put forth are basically meaningless, because…