Tag: Vulnerability Statistics
-
Response to Kenna Security’s Explanation of the DBIR Vulnerability Mess
[This was originally published on the OSVDB blog.] Earlier this week, Michael Roytman of Kenna Security wrote a blog with more details about the vulnerability section of the Verizon DBIR report, partially in response to my last blog here questioning how some of the data was generated and the conclusions put forth. The one real…
-
A Note on the Verizon DBIR 2016 Vulnerabilities Claims
[This was originally published on the OSVDB blog.] [Updated 4/28/2016] Verizon released their yearly Data Breach Investigations Report (DBIR) and it wasn’t too long before I started getting asked about their “Vulnerabilities” section (page 13). After bringing up some highly questionable points about last year’s report regarding vulnerabilities, several people felt that the report did…
-
A Note on the Verizon DBIR 2015, “Incident Counting”, and VDBs
[This was originally published on the OSVDB blog.] Recently, the Verizon 2015 Data Breach Investigations Report (DBIR) was released to much fanfare as usual, prompting a variety of media outlets to analyze the analysis. A few days after the release, I caught a Tweet linking to a blog from Rory McCune that challenged one aspect…
-
Reviewing the Secunia 2015 Vulnerability Review (A Redux)
It’s that time of year again! Vulnerability databases whip up reports touting statistics and observations based on their last year of collecting data. It’s understandable, especially for a commercial database, to show why your data source is the best. In the past, we haven’t had a strong desire to whip up a flashy PDF with…
-
SQLi Disclosures and the Last Five Years (Transparent Statistics)
[This was originally published on the OSVDB blog.] Nothing like waking up to a new article purporting to show vulnerability statistics and having someone ask us for comment. But hey, we love giving additional perspective on such statistics since they are often without proper context and disclaimers. This morning, the new article comes from Help…
-
Reviewing the Secunia 2013 Vulnerability Review
[This was originally published on the OSVDB blog.] On February 26, Secunia released their annual vulnerability report (link to report PDF) summarizing the computer security vulnerabilities they had cataloged over the 2013 calendar year. For those not familiar with their vulnerability database (VDB), we consider them a ‘specialty’ VDB rather than a ‘comprehensive’ VDB (e.g.…
-
I could do this all day… (Poor vuln stats from @GFISoftware)
[This was originally published on the OSVDB blog.] Despite the talk given at BlackHat 2013 by Steve Christey and myself, companies continue to produce pedestrian and inaccurate statistics. This batch comes from Cristian Florian at GFI Software and offers little more than confusing and misleading statistics. Florian falls into many of the traps and pitfalls…
-
An Open Letter to Ashley Carman, @SCMagazine, and @SkyboxSecurity
[This was originally published on the OSVDB blog.] [Sent to Ashley directly via email. Posting for the rest of the world as yet another example of how vulnerability statistics are typically done poorly. In this case, a company that does not aggregate vulnerabilities themselves, and has no particular expertise in vulnerability metrics weighs in on…
-
Buying Into the Bias: Why Vulnerability Statistics Suck [Abstract]
[This was originally published on the OSVDB blog.] Last week, Steve Christey and I gave a presentation at Black Hat Briefings 2013 in Las Vegas about vulnerability statistics. We submitted a brief whitepaper on the topic, reproduced below, to accompany the slides that are now available. Buying Into the Bias: Why Vulnerability Statistics SuckBy Steve…
-
Buying Into the Bias: Why Vulnerability Statistics Suck [Presentation]
Steve Christey, the CVE Editor from MITRE, and I gave a presentation at Black Hat Briefings 2013 on the problems we have witnessed over the years with poor vulnerability statistics. Rather than just debunk a handful, which we did, we also went into extensive detail on the different types of bias that ultimately lead to…