Hi Stephan, In my view, it would be even better to study the difference in external bug emphasis (as driven by full disclosure and the CVE) and internal bug emphasis (as driven by an organization's own top N list). Once again, this is a difference in emphasis you might put as "reactive" versus "proactive." I think we all agree a proactive solution to software security is most effective from a cost perspective. We also know from experience that external pressure is sometimes necessary to cause change.
To put a slightly finer point on it, I wonder whether the "scatter" you can observe outside of the black box looks completely different than the in-the-box view. In this case, an organizations codebase and dev shop is "the box" and the external bug reports are outside. I have a feeling that is it. Trento has a special place in my heart as I lived there from 8/93-8/94 and worked at IRST. Say hi to Cognola for me. gem http://www.cigital.com/~gem On 3/19/09 4:42 AM, "Stephan Neuhaus" <stephan.neuh...@disi.unitn.it> wrote: On Mar 18, 2009, at 23:14, Steven M. Christey wrote: > I believe this is reflected in public CVE data. Take a look at the > bugs > that are being reported for, say, Microsoft or major Linux vendors > or most > any product with a long history, and their current number 1's are > not the > same as the number 1's of the past. I am trying to get funding for a study that would address precisely this issue. Here is a write-up that I made for the Master students here at the University of Trento that explains in more detail what I'm trying to do; perhaps someone on this list is interested in collaborating: http://www.disi.unitn.it/~neuhaus/proposals/Security-Trends.pdf Best, Stephan _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
