I think it makes complete sense to want to have a good idea about which platforms are more or less vulnerable than others at the earliest possible time in your deployment cycle (e.g. at buying time). To accomplish that objective, you can look at complexity measures (we assume that more complex software is more likely to have more vulnerabilities, though the only study I am aware of didn’t find a correlation) or attack surface measures – e.g. the Relative Attack Surface Quotient (RASQ).

Unfortunately, the complexity work is not simple post production and isn’t published (or isn’t done) during development. So we are stuck with making do with the things we can quantify.

You are right that the VR comparative ratings will change over time and could flip-flop – the whole Firefox vs. IE fiasco of late ’04 is a good example of that.

The thing I like about the VR is that you can isolate on exposure and measure trends in your own deployment. There is an element of “threat” in this approach, but I think it will still provide a more useful approach to vulnerability than existing measures.

Does that make sense, or have I missed something?

Three great questions that certainly could be asked of vulnerability counts and Days of Risk as well. I’ll take them one at a time.

1) While I fully endorse techniques during development to capture effort metrics, it is extremely difficult to do this for the entire world. The metric does not address discovery effort directly, but it should be reflected in the trend line as higher peaks – i.e. vulns found would have more significant impact.

2)(TD – DOB) in the denominator covers mature vs. new products, since it is a product lifetime (or deployment period for enterprises). New products will divide by a smaller number, so each individual vuln has greater impact. As we expect software to get more secure over time (else we wouldn’t be looking for vulns) the impact flattens out over time as well.

3) I don’t account for severity. My belief is that a metric should start simple and then get more complex as need arises. If severity levels can be objectively shown to be significantly different among programs with the same general function, then I will come up with a corresponding weighting scheme for each vuln’s lifetime.

Thanks for the comments!

Also, how does it account for differences in vulnerability severity?