1 / 3

Security vulnerabilities are clearly rising

Security vulnerabilities are clearly rising. NVD = National Vulnerability Database CERT = US-CERT database OSVDB = Open Source Vulnerability Database. Published vulnerabilities cost a vendor real money. A study based on reald vulnerability announcements in 1999-2004 revealed an

octavia-kemp
Download Presentation

Security vulnerabilities are clearly rising

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security vulnerabilities are clearly rising NVD = National Vulnerability Database CERT = US-CERT database OSVDB = Open Source Vulnerability Database

  2. Published vulnerabilities cost a vendor real money • A study based on reald vulnerability announcements in 1999-2004 revealed an • average drop of the concerned vendor's stock price • of 0.6% after each vulnerability announcement • Tehang / Wattal, Carnegie Mellon Univerisity, 2004 • "Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation" • ... not to mention the damage to the vendor's reputation

  3. Most vulnerabilities caused by careless programming • 64% of the vulnerabilities in ICAT (now: NVD) in 2004 are due to programming errors • 51% of those due to classic errors like buffer overflows, cross-site-scripting, injection flaws • Heffley/Meunier (2004): Can Source Code Auditing Software Identify Common Vulnerabilities and Be Used to Evaluate Software Security? • Cross-site scripting, SQL injection at top of the statistics (CVE, Bugtraq) in 2006 • "We wouldn't need so much network security if we didn't have such bad software security" (Bruce Schneier)

More Related