To paint a better picture of software security trends, studies tracking vulnerability announcements year-to-year could benefit from clearer disclaimers about their data, according to two researchers set to present at the upcoming Black Hat USA conference in Las Vegas. Brian Martin, content manager of the Open Source Vulnerability Database, and Steve Christey, principal information security engineer in the security and information operations division atThe MITRE Corporation, plan to present on the shortcomings of different studies of the vulnerability landscape, with the hope of providing organizations with better tools for determining their software security priorities, Dark Reading reported.
The researchers found that the number of vulnerabilities reported in annual studies from organizations such as Symantec, Hewlett-Packard’s Zero-Day Initiative and OSVDB itself varied by as much as 75 percent in 2012. Pointing out these issues is important given the role such studies play in many organizations’ IT planning, they said.
“Companies are basing their decisions off of all of these stats, and those decisions are very sweeping, in the sense that it is affecting the budget, it’s affecting the personnel, and their lives to a degree,” Martin told Dark Reading.
Additionally, the researchers believe that the subjective nature of the most common method of assigning severity ratings to vulnerabilities – the Common Vulnerability Scoring System – can paint an inaccurate and generally overly reactive view of the criticality of such flaws.
An OSVDB blog post offered a picture of how one such study – from NSS Labs – might have overstated the number of critical CVSS scores. For instance, unspecified issues are scored as a worst case 10.0 severity scenario if details are lacking. On the other hand, multiple flaws are often condensed into a single CVE value, meaning that studies that only track CVE numbers may be understating the number of vulnerabilities in the wild.
While the inconsistency of such studies means that they are worth taking with a grain of salt, the general trend lines are worth following, the researchers noted. The software security industry could use more rigor in its reporting, but organizations could also benefit from more scrutiny in their development practices, as, regardless of the data, the number of vulnerabilities being exploited is substantial. Using a secure development lifecycle that includes tools such as static analysis, organizations can reduce the likelihood of a software security error reaching release.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.