On CHOW: Outlawing workplace candy
BNET Business Network:
BNET
TechRepublic
ZDNet

November 9th, 2009

Counting vulnerabilities is pointless

Posted by Adrian Kingsley-Hughes @ 11:36 am

Categories: Security

Tags: Vulnerability, Security, Adrian Kingsley-Hughes

Application security vendor Cenzic released a report today highlighting Mozilla Firefox as the most vulnerable web browser based on vulnerability count. Problem is, counting vulnerabilities is pointless. In fact, it’s worse than pointless, it can lead us to draw false conclusions.

Sure, the report makes interesting reading, highlights of which are:

  • 78 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from last year.
  • Of Web browser vulnerabilities, Firefox had the largest percentage, at 44 percent. Safari vulnerabilities came in at 35 percent, significantly higher than even Internet Explorer.
  • Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities for the first half of 2009.

Problem is, the information you get form a vulnerability count is next to pointless. Why? Because it’s a weak metric thrown around by people who put too much faith in numbers. Let me give you an example.

Let say I give you give me a gold coin to look after. Which would bother you more, the fact that I left your coin in an unlocked car on the side of the road, or unlocked in a secure compound surrounded by security cameras and attack dogs? In both these situations there’s only big security vulnerability, but both situations are far from being equal.

As far as vulnerabilities go, there are far better metrics than count. Time to fix is an important one, as is the number of zero-day vulnerabilities. Then there’s the overall severity of the vulnerability in question.

I also think that we should also be paying attention to more exotic metrics such as how many unpatched users there are and how many days a product has exposed users to vulnerabilities over a specific period.

Bottom line, counting individual vulnerabilities is not only pointless, but it can cause people to draw conclusions incorrect conclusions.

Thoughts?

Adrian Kingsley-HughesAdrian is a technology journalist and author who has devoted over a decade to helping users get the most from technology. He also runs a popular blog called The PC Doctor. See his full profile and disclosure of his industry affiliations

Want to get in touch? Got a tip? Feel free to drop me a note! I ALWAYS respect anonymity. I'm also on Twitter (@the_pc_doc)

Right to Reply: Should any industry representatives wish to comment on any posts on Hardware 2.0, I will be happy to publish their reply verbatim on this blog.

Subscribe to Hardware 2.0 via Email alerts or RSS.

  • Talkback
  • Most Recent of 71 Talkback(s)
RE: Counting vulnerabilities is pointless
iPod to PC Transfer,
iPod to PC Transfer,
Read the rest)
Posted by: cocococo013 Posted on: 11/16/09 You are currently: a Guest | | Terms of Use
Suddenly it doesn't matter any more?  honeymonster | 11/09/09
No but guess what still matters...  NonZealot | 11/09/09
Should that not have read  GuidingLight | 11/09/09
NZ is right  Richard Flude | 11/09/09
The only metric that ACTUALLY counts  NonZealot | 11/09/09
Sure, if you're responsible only for yourself  Richard Flude | 11/09/09
You missed the point  NonZealot | 11/09/09
Drop the BS  Richard Flude | 11/09/09
Impossible? Only for incompetent admins  NonZealot | 11/09/09
@Richard Flude...  sceptical | 11/09/09
PS Apple just released a mega patch  NonZealot | 11/09/09
Now the patch size is NZ's metric  Richard Flude | 11/09/09
@Richard Flude: It's not an exaggeration.  ye | 11/09/09
@ye: please :Updated  Richard Flude | 11/09/09
@Richard Flude: Sorry, wrong link. Here's the correct one:  ye | 11/09/09
@ye...  sceptical | 11/09/09
@msalzberg: Doesn't change the fact that it's 479MB  ye | 11/10/09
@ye: Please tell the whole story.  sceptical | 11/10/09
@msalzberg: I only need to show the part that disproves...  ye | 11/10/09
Think SP1 or SP2, Ye.  daengbo | 11/12/09
Never did apart from Ou, Carroll and the other MSCEs  Richard Flude | 11/09/09
You've got that backwards.  ye | 11/09/09
Exactly. Cue that change of opinion. (nt)  honeymonster | 11/09/09
Let's look  Richard Flude | 11/09/09
I don't specifically recall commenting on your history.  ye | 11/09/09
By responding to my post, a proud ABMer  Richard Flude | 11/09/09
Well now you know why they say you shouldn't assume.  ye | 11/09/09
You will proudly use anything but Microsoft?  NonZealot | 11/09/09
@NonZealot: Yes  Richard Flude | 11/09/09
@Richard Flude: There was a time when Windows required...  ye | 11/10/09
Wow - your a funny little man...and I mean funny - nt  USTechHead | 11/10/09
Bingo - nt  USTechHead | 11/10/09
It never did!  jeremychappell | 11/09/09
It doesn't matter for Adrian since it doesn't have Microsoft as developer..  transposeIT | 11/09/09
you cannot compare MS security hole with others  ljenux-23043766007667558234416105604265 | 11/10/09
Vulnerability count is an indication of software quality  honeymonster | 11/09/09
Quite untrue...  cosuna | 11/09/09
Can you seriously be that uninformed?  NonZealot | 11/09/09
Hope this helps  honeymonster | 11/09/09
Firefox on a Linux distro  use_linux | 11/09/09
Your ignorance makes Linux users look bad  NonZealot | 11/09/09
LOL - very accurate...nt  USTechHead | 11/10/09
And all that says is  GuidingLight | 11/09/09
"Part of the OS" does not mean "runs privileged".  ye | 11/09/09
risk assement != vulnerability count  ~doolittle~ | 11/09/09
Yes  honeymonster | 11/09/09
AMEN Brother! - "The DA on the Keyboard"... nt  USTechHead | 11/10/09
Only one little thing  Yagotta B. Kidding | 11/09/09
Totally agree  honeymonster | 11/09/09
You've missed a phase  daengbo | 11/12/09
It is only pointless if you have the most vulnerabilities  GuidingLight | 11/09/09
If the report concluded that... & Security features  Tom12Tom | 11/09/09
As is reporting statistics without the raw data  Fred Fredrickson | 11/09/09
Agree on the percentages, but...  honeymonster | 11/09/09
The only meaniful metric  T1Oracle | 11/09/09
Vulnerabilities are meaningless. Sandbox that App!  D. T. Schmitz | 11/09/09
Here's a new statistic that DOES count:  CounterEthicsCommissioner-23034636492738337469105860790963 | 11/09/09
You think of this all by yourself??? NT  CrashPad | 11/09/09
Heh...  jeremychappell | 11/09/09
It shouldn't matter what platform...  JCitizen | 11/10/09
As long as it's not Microsoft, isn't it Adrian....  transposeIT | 11/09/09
Threats, mitigations and design inspections  Earthling2 | 11/09/09
statistic is biggest lie...MS is biggest security hole.  ljenux-23043766007667558234416105604265 | 11/10/09
Because you say so?  honeymonster | 11/10/09
Linux is crap. That's the only truth to know...nt  transposeIT | 11/10/09
brainwashed....  ljenux-23043766007667558234416105604265 | 11/10/09
It's all about Severity and Time To Patch  iTeaBoy | 11/10/09
These ones look pretty severe to me  Earthling2 | 11/10/09
Good post...  JCitizen | 11/10/09
Adrian, you seriously need to get a proof reader  Drakaran | 11/16/09
RE: Counting vulnerabilities is pointless  cocococo013 | 11/16/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More