http://blogs.csoonline.com/security-industry/3082/secunia-vulnerability-report-questioned-experts
By Steve Ragan
Salted Hash
CSO Online
March 19, 2014
On Tuesday, the OSVDB project outlined various problems with Secunia's
annual vulnerability report, including instances where Secunia counted
vulnerabilities multiple times, or under-reported them. The project also
took issue with how Secunia classified third-party products, which the
Copenhagen-based firm says are non-Microsoft programs, a definition that
isn't shared by a majority of the security community.
"In the world of VDBs, we frequently refer to a third-party component a
'library' that is integrated into a bigger package," the post explains.
"The notion that “non-Microsoft” software is “third-party” is very weird
for lack of better words, and shows the mindset and perspective of
Secunia. This completely discounts users of Apple, Linux, VMs (e.g.
Oracle, VMware, Citrix), and mobile devices among others. Such a
Microsoft-centric report should clearly be labeled as such, not as a
general vulnerability report."
The project acknowledged that their observations may be biased, as they
are a direct competitor to Secunia due to the involvement of their
commercial partner Risk Based Security (RBS) - but after looking at the
source data, it's hard to ignore the numbers.
To begin with, when examining the opening totals from Secunia, the OSVDB
project says they are "incorrect and entirely misleading."
[...]
--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
