You also are not taking into account the number of vulnerabilities that are discovered by security consultants under NDA which are never published.
I have lost the count on the number of vulnerabilities (at the time zero-days) that I have discovered in commercial software and where never published (and in some cases even patched or communicated to their clients/users). And when talking to my peers, I would estimate that if these vulnerabilities discovered under NDAs where reported, the number below would be much, much, much bigger. Maybe one day when companies are forced (by law) to disclose the vulnerabilities that they know exist in their products (maybe in a format similar to http://research.eeye.com/html/advisories/upcoming/), we will have a good picture of what is really going on. Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 1/24/07, pete werner <[EMAIL PROTECTED]> wrote:
This strikes me as largely meaningless, bordering on good news. More bugs found = more bugs fixed = more secure software. I dont really think you can compare the numbers from 2001 and 2006 though. There's way more people looking for bugs now than there were in 2001. Maybe there were more bugs around in 2001 as secure coding practises still weren't well known, and security was nowhere as mainstream as it is now, so your average developer was less aware of secure coding practises and techniques. Also, nowadays people rush to disclose vulnerabilites, no matter how minor they may be. There were plenty of vulnerabilites discovered in 2001 that weren't publicly disclosed, and some that probably still remain undisclosed. I would be interested to see what conclusions you can actually draw from these figures (really). On 1/23/07, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote: > > FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35% > increase over 2005. > > See > http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/ > > The article further states, "The greatest factor in the skyrocketing number > of vulnerabilities is that certain types of flaws in community and > commercial Web applications have become much easier to find, said Art > Manion, vulnerability team lead for the CERT Coordination Center. > > 'The best we can figure, most of the growth is due to fairly > easy-to-discover vulnerabilities in Web applications," Manion said. "They > are easy to find, easy to create, and easy to deploy.'" > > Cheers, > > Ken > ----- > Kenneth R. van Wyk > SC-L Moderator > KRvW Associates, LLC > http://www.KRvW.com > > > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
--
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
