On Tue, 4 Nov 2008, Benjamin Tomhave wrote: > An interesting read. Not much to really argue with, I don't think. > http://www.veracode.com/blog/2008/11/we%e2%80%99ve-reached-the-application-security-tipping-point/
Agree. But, just to bolster (if it's relevant) I'll expand on my comment to that blog post: While we have not done a similar analysis in CVE, I believe that ISS' statistics are valid based on what we are seeing. Further, for the OS software vendors, the types of vulnerabilities are often unusual (e.g. use-after-free, missing initialization) or very difficult to find and exploit. This suggests a significant difference between the level of security at the OS level versus the application level. Generally speaking, of course. (See the 2006 CVE vulnerability trends for further proof of differences between OS and application stats; yes, we'll be updating those stats for 2007/2008). - Steve P.S. the Veracode blog post generated 6 W3C validation errors, so it's more authoritative than some other web pages. Sorry if this joke doesn't register with people, I forget which mailing list people will find this postscript semi-hilarious/semi-cynical in. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
