Comments on: Software Security Labels: Should we throw in the towel? http://spiresecurity.com/?p=525 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Steve Christey http://spiresecurity.com/?p=525&cpage=1#comment-809 Steve Christey Thu, 27 Oct 2005 08:33:44 +0000 http://spiresecurity.com/blog/?p=525#comment-809 I feel your pain regarding solid metrics for measuring software vulnerability. The bias in vulnerability research can be unintentional as well. There are approximately 300 different flavors of vulnerabilities by my count, yet most researchers only focus on 10 or 20. Every researcher has their own preference or skill area. The public record of vulnerabilities is nowhere near reliable, but it’s the best we have for now. The best clues are how complex the discovered vulnerabilities are (you rarely see a 100% obvious buffer overflow in a major software package these days – most overflows involve multiple bugs, complex attack scenarios, or previously unexplored functional areas such as file formats).

The research community needs to establish reasonably formal analysis methods that are repeatable and comprehensive, then deploy those methods on multiple products, and publish their results. Only then can you possibly compare the security of products. At least it would be a start.

Steve Christey
CVE Editor

]]>