You also are not taking into account the number of vulnerabilities that are discovered by security consultants under NDA which are never published.<br><br>I have lost the count on the number of vulnerabilities (at the time zero-days) that I have discovered in commercial software and where never published (and in some cases even patched or communicated to their clients/users).
<br><br>And when talking to my peers, I would estimate that if these vulnerabilities discovered under NDAs where reported, the number below would be much, much, much bigger.<br><br>Maybe one day when companies are forced (by law) to disclose the vulnerabilities that they know exist in their products (maybe in a format similar to
<a href="http://research.eeye.com/html/advisories/upcoming/">http://research.eeye.com/html/advisories/upcoming/</a>), we will have a good picture of what is really going on.<br><br>Dinis Cruz<br>Chief OWASP Evangelist<br>
<a href="http://www.owasp.org">http://www.owasp.org</a>
<br><br><div><span class="gmail_quote">On 1/24/07, <b class="gmail_sendername">pete werner</b> <<a href="mailto:peter.werner@gmail.com">peter.werner@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
This strikes me as largely meaningless, bordering on good news. More<br>bugs found = more bugs fixed = more secure software.<br><br>I dont really think you can compare the numbers from 2001 and 2006<br>though. There's way more people looking for bugs now than there were
<br>in 2001. Maybe there were more bugs around in 2001 as secure coding<br>practises still weren't well known, and security was nowhere as<br>mainstream as it is now, so your average developer was less aware of<br>secure coding practises and techniques.
<br><br>Also, nowadays people rush to disclose vulnerabilites, no matter how<br>minor they may be. There were plenty of vulnerabilites discovered in<br>2001 that weren't publicly disclosed, and some that probably still
<br>remain undisclosed.<br><br>I would be interested to see what conclusions you can actually draw<br>from these figures (really).<br><br>On 1/23/07, Kenneth Van Wyk <<a href="mailto:ken@krvw.com">ken@krvw.com</a>> wrote:
<br>><br>> FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35%<br>> increase over 2005.<br>><br>> See<br>> <a href="http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/">http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/
</a><br>><br>> The article further states, "The greatest factor in the skyrocketing number<br>> of vulnerabilities is that certain types of flaws in community and<br>> commercial Web applications have become much easier to find, said Art
<br>> Manion, vulnerability team lead for the CERT Coordination Center.<br>><br>> 'The best we can figure, most of the growth is due to fairly<br>> easy-to-discover vulnerabilities in Web applications," Manion said. "They
<br>> are easy to find, easy to create, and easy to deploy.'"<br>><br>> Cheers,<br>><br>> Ken<br>> -----<br>> Kenneth R. van Wyk<br>> SC-L Moderator<br>> KRvW Associates, LLC<br>> <a href="http://www.KRvW.com">
http://www.KRvW.com</a><br>><br>><br>><br>><br>><br>> _______________________________________________<br>> Secure Coding mailing list (SC-L) <a href="mailto:SC-L@securecoding.org">SC-L@securecoding.org
</a><br>> List information, subscriptions, etc -<br>> <a href="http://krvw.com/mailman/listinfo/sc-l">http://krvw.com/mailman/listinfo/sc-l</a><br>> List charter available at -<br>> <a href="http://www.securecoding.org/list/charter.php">
http://www.securecoding.org/list/charter.php</a><br>> SC-L is hosted and moderated by KRvW Associates, LLC (<a href="http://www.KRvW.com">http://www.KRvW.com</a>)<br>> as a free, non-commercial service to the software security community.
<br>> _______________________________________________<br>><br>><br>><br>><br>_______________________________________________<br>Secure Coding mailing list (SC-L) <a href="mailto:SC-L@securecoding.org">SC-L@securecoding.org
</a><br>List information, subscriptions, etc - <a href="http://krvw.com/mailman/listinfo/sc-l">http://krvw.com/mailman/listinfo/sc-l</a><br>List charter available at - <a href="http://www.securecoding.org/list/charter.php">
http://www.securecoding.org/list/charter.php</a><br>SC-L is hosted and moderated by KRvW Associates, LLC (<a href="http://www.KRvW.com">http://www.KRvW.com</a>)<br>as a free, non-commercial service to the software security community.
<br>_______________________________________________<br></blockquote></div><br><br clear="all"><br>-- <br><br>