Re: On product vulnerability history and vulnerability complexity

To: Crispin Cowan <crispin@xxxxxxxxxx>
Subject: Re: On product vulnerability history and vulnerability complexity
From: Gadi Evron <ge@xxxxxxxxxxxx>
Date: Mon, 03 Apr 2006 21:12:13 +0200
Cc: "Steven M. Christey" <coley@xxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <442F060E.4030909@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200603240801.k2O81Wnx003790@xxxxxxxxxxxxxxx> <442F060E.4030909@xxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Crispin Cowan wrote:

Kind of: absence of evidence is not evidence of absence, but that
applies both ways. The absence of a vulnerability history does not
indicate that the product is secure or insecure, it indicates that no
one has looked, or at least no one has reported looking.

Like you stated earlier, our history and statistics gathering in theindustry are very lacking and self-biased at best. Still, this really isthe case of "the truth is probably somewhere in the middle".

Looking at how many past vulnerabilities were found, and of what types,does tell you something. Looking at what the code looks like tells you abunch. As an example, if a product has 5 basic buffer overflows everyyear, obviously something is wrong there. If the vulnerabilities areobscure at best rather than basic buffer overflows - we can at leasttell it wasn't the coder being bad but rather something that can happento anyone.


Looking even at web applications and their history one can easily tell if:
1. They are professionally written.

2. The vulnerabilities seen before and the ones we could find are nottrivial or really say anything about the coder.


That's how we chose WordPress for blogging.

I don't see why closed-source software should be any different.

I recently had a chat with a friend and we talked exactly on this issue:

Although there is some un-touched code-base around (Excel being a recentexample)...Looking at Microsoft's software of today, it is extremely well-writtenand professional. Far beyond that of most others. Findingvulnerabilities in them is extremely difficult. Most vulnerabilities youwill find will be logical in nature and not easy.

That does not come to speak to my (bad to worse) opinion of theirdisclosure handling process, etc., but rather to show that they indeedseriously changed in that regard.

Consider Postfix and Qmail again; neither has any substantive history of
vulnerabilities, but both have a substantive history of fussing over
whether some arcane anomaly is a vulnerability or not. This indicates
that people were looking really hard at them. This is a very good thing.
We need some way to capture that.

That is key, as today's data is very lacking to base much on. But we usewhat we have, right?


        Gadi.

Follow-Ups:
- Re: On product vulnerability history and vulnerability complexity
  - From: Javor Ninov
- Re: On product vulnerability history and vulnerability complexity
  - From: Steven M. Christey

References:
- On product vulnerability history and vulnerability complexity
  - From: Steven M. Christey
- Re: On product vulnerability history and vulnerability complexity
  - From: Crispin Cowan

Prev by Date: Re: Cantv/Movilnet's Web SMS vulnerability.
Next by Date: Re: On classifying attacks
Previous by thread: Re: On product vulnerability history and vulnerability complexity
Next by thread: Re: On product vulnerability history and vulnerability complexity
Index(es):
- Date
- Thread