Räkna inte buggar
Brian Krebs har skrivit ett bra inlägg i buggräknardebatten (om det finns en sådan), Why Counting Flaws is Flawed. Budskapet är att antalet säkerhetshål eller patchar inte är en bra metod för att mäta säkerhet. Jag har skrivit raljerat om det tidigare och har i stort precis samma åsikt som Krebs:
It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.
Krebs drar även samma slutsats som jag; frågan "hur många buggar?" föder bara fler frågor:
--
Stefan Pettersson
It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.
Krebs drar även samma slutsats som jag; frågan "hur många buggar?" föder bara fler frågor:
- Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?
- How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?
- Which products had the broadest window of vulnerability, from notification to patch?
- How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?
- How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?
- Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?
--
Stefan Pettersson
Kommentarer
Trackback
