> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ljknews > Sent: Tuesday, July 13, 2004 8:37 AM Larry Kilgallen wrote...
> At 5:30 PM -0600 7/12/04, Jared W. Robinson wrote: > >I read the paper, and found it interesting. I read the statistic "50 > >percent of security problems are the result of design > flaws". Where does > >that number come from? Experience? > > I would say it comes from sloppy wording. > > At best, the author might discuss "50 percent of security problems > discovered to date...". Back as late as either 1998 or 1999, approximately 50% of the CERT advisories were attribued to security issues caused by buffer overflows. Now I certainly wouldn't count buffer overflows as DESIGN errors, but some people might. Likewise, I probably wouldn't count most data validation-related errors (specifically, the lack thereof) as design errors, but again, some people might. If those reporting this statistic were of that ilk, I could see the number being close to 50%. But in my experience from the past 5 years (through code inspections, pen testing, etc.), in my small sample of the world, that number has been closer to 20-25%. (But that could be because we develop in Java or C#; no more C or C++.) But, numbers such of these, in absence of any context of how the figures were derived are IMHO, close to meaningless. -kevin wall --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED] Phone: 614.215.4788 "The difference between common-sense and paranoia is that common-sense is thinking everyone is out to get you. That's normal -- they are. Paranoia is thinking that they're conspiring." -- J. Kegler
