|18 Nov 2010||#1|
| || |
Security.Why Counting Flaws is Flawed
Once or twice each year, some security company trots out a “study” that counts the number of vulnerabilities that were found and fixed in widely used software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.
The reality is that these types of vulnerability count reports — like the one issued this week by application whitelisting firm Bit9 — seek to measure a complex, multi-faceted problem from a single dimension. It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.
The Bit9 report is more notable for what it fails to measure than for what it does, which is precious little: The applications included in its 2010 “Dirty Dozen” Top Vulnerable Applications list had to:
|My System Specs|
|Similar help and support threads for2: Security.Why Counting Flaws is Flawed|
|Flawed Malwarebytes security update wipes out thousands of computers||Security News|
|Patch Tuesday: Microsoft to fix five critical security flaws||Security News|
|Patch Tuesday: Microsoft to fix five critical security flaws||Windows Updates & Activation|
|Mat Honan: How Apple and Amazon Security Flaws Led to My Epic Hacking||Security News|
|Oracle to Patch Dozens of Security Flaws Tomorrow||Security News|
|XSS flaws found on three security firms' websites||System Security|
|Security flaws haunt Cisco Wireless LAN Controller||News|
|Our Sites ||Site Links ||About Us ||Find Us |
© Designer Media Ltd
All times are GMT -5. The time now is 03:00 PM.