Tag: Vulnerability Tourists
-
I could do this all day… (Poor vuln stats from @GFISoftware)
[This was originally published on the OSVDB blog.] Despite the talk given at BlackHat 2013 by Steve Christey and myself, companies continue to produce pedestrian and inaccurate statistics. This batch comes from Cristian Florian at GFI Software and offers little more than confusing and misleading statistics. Florian falls into many of the traps and pitfalls…
-
An Open Letter to Ashley Carman, @SCMagazine, and @SkyboxSecurity
[This was originally published on the OSVDB blog.] [Sent to Ashley directly via email. Posting for the rest of the world as yet another example of how vulnerability statistics are typically done poorly. In this case, a company that does not aggregate vulnerabilities themselves, and has no particular expertise in vulnerability metrics weighs in on…
-
Android versus iOS Security – Not Again…
[This was originally published on the OSVDB blog.] About two weeks ago, another round of vulnerability stats got passed around. Like others before, it claims to use CVE to compare Apple iOS versus Android in an attempt to establish which is more secure based on “vulnerability counts”. The statistics put forth are basically meaningless, because…
-
CVE Vulnerabilities: How Your Dataset Influences Statistics
[This was originally published on the OSVDB blog.] Readers may recall that I blogged about a similar topic just over a month ago, in an article titled Advisories != Vulnerabilities, and How It Affects Statistics. In this installment, instead of “advisories”, we have “CVEs” and the inherent problems when using CVE identifiers in the place…
-
Advisories != Vulnerabilities, and How It Affects Statistics
[This was originally published on the OSVDB blog.] I’ve written about the various problems with generating vulnerability statistics in the past. There are countless factors that contribute to, or skew vulnerability stats. This is an ongoing problem for many reasons. First, important numbers are thrown around in the media and taken as gospel, creating varying…
-
Adobe, Qualys, CVE, and Math
[This was originally published on the OSVDB blog.] Elinor Mills wrote an article titled Firefox, Adobe top buggiest-software list. In it, she quotes Qualys as providing vulnerability statistics for Mozilla, Adobe and others. Qualys states: The number of vulnerabilities in Adobe programs rose from 14 last year to 45 this year, while those in Microsoft…
-
2007 Top Vulnerable Vendors?
[This was originally published on the OSVDB blog.] http://www.eweek.com/article2/0,1895,2184206,00.asphttp://www.eweek.com/c/a/Security/Report-MS-Apple-Oracle-Are-Top-Vulnerable-Vendors/ New IBM research shows that five vendors are responsible for 12.6 percent of all disclosed vulnerabilities. Not surprising: In the first half of 2007, Microsoft was the top vendor when it came to publicly disclosed vulnerabilities. Likely surprising to some: Apple got second place. IBM Internet…
-
SANS Top 20 Report – Deja Vu
[This was originally published on the OSVDB blog.] I previously blogged about the SANS Top 20 List in a pretty negative fashion. The list started off as the “Top 10 Vulnerabilities” and quickly expanded into the Top 20 Vulnerabilities. Even last year (2005), they were still calling it a “Top 20 Vulnerabilities” list when it…
-
Depending on how you count flaws..
[This was originally published on the OSVDB blog.] After flap, Symantec adjusts browser bug countDepending on how you count flaws, either IE or Firefox could be considered less secureNews Story by Robert McMillan MARCH 07, 2006 (IDG NEWS SERVICE) – A report issued today by Symantec Corp. seeks to satisfy users of both Mozilla Corp.’s…
-
Mac vs Windows – More “Statistics”
[This was originally published by the OSVDB blog.] Yet another article comparing Mac vs Windows, and using statistics to back it up. Since this is getting to be a common occurrence, I won’t go into the usual lecture about statistics, how they can easily be manipulated to back any argument (including how VAX/VMS is the…