-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At this point, it sounds like what you really need to do is define the criteria for "insecure" programs. Is it really just the number of bugs? I think it might be more relevant to consider things like #, type, impact, distribution base, etc.
It really all depends on how 'accurate' you want your list to be, but if you establish a criteria and a generic series of measurements, you could bounce each recommendation for the list against the metrics to determine an application's placement on the list. Lastly, I think that it is relatively unproductive to identify the top 10 most 'insecure' programs. It is not the program itself that is necessarily insecure, but how the program is implemented. You can say that IIS is one of the most insecure applications on the market, but it isn't really true! If you apply the proper controls, IIS can be made into a very effective, very secure platform. Again, a criteria for defining 'insecure' applications would probably help significantly. - - Brad Bemis -----BEGIN PGP SIGNATURE----- Comment: KeyID: 0xB8F26ADD Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD iQA/AwUBPwR2apDnOfS48mrdEQK9QACg9ieMCuL1oL7M36fjtCqakKDfeZAAoP4H PULsnMi888pju3xClkb7cakb =kmSL -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------