Brian Martin (@Attritionorg) – also known as Jericho on the Interwebs – took a few minutes out of his busy schedule to share some insights on vulnerability stats, the topic of his recent Black Hat briefing in Las Vegas.
Martin has been active in the hacker/security scene for over twenty years, and is well known for his healthy skepticism and the regular application of his anger management skills.
Being a hacker focused on security research, Martin has a unique point of view on most any issue in security, and he is not shy about sharing them with the wider community.
Martin’s talk, Buying into the Bias: Why Vulnerability Statistics Suck, which was presented with compadre Steve Christey, looked at how our industry often analyzes vulnerability statistics utilizing huge repositories of vulnerability data like as CVE and OSVDB to determine vulnerability trends.
Martin and Christy contend that these types of data are unreliable, and that their limitations are not adequately weighted when doing such analysis, producing faulty assumptions skewed by innate bias.
“As maintainers of two well-known vulnerability information repositories, we’re sick of hearing about sloppy research after it’s been released, and we’re not going to take it any more,” the researchers stated.
What’s the rub? Martin explains here…
- Vulnerabilities: It’s Time to Review Your ReviewBoard
- Five Good Things in Infosec
- What is Vulnerability Management Anyway?
- Your Enterprise Vulnerability Management Reality Check
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock