0-Day-Patch – An new Metric for Security?

The Federal Institute of Technology in Zurich released a study at Blackhat, which is definitely worth looking into.

Now, let's be serious: They looked at a metric they call 0-Day-Patch being the number of patches a vendor is able to release at the day of the public disclosure of a new vulnerability. We could discuss again the value of this metric but it definitely shows how well responsible disclosure works for a vendor. They then took Apple and Microsoft to be compared over 6 years and We find global and vendor specific trends and measure the effectiveness of the patch development process of two major software vendors.

So, I just want to take the pictures. The following picture shows the percentage of vulnerabilities that are open for longer than a given period:

 

The second graph is the same for Apple:

The next (and last graph) is the number of unpatched vulnerabilities at any given time:

What I like here is, that it seems that we are able to keep the number consistently below 20 with a constant average.

Last but not least, the most important thing: this is an independent study!

I guess, you want to read the whole document. There you go: 0-Day Patch - Exposing Vendors (In)security Performance and here is the presentation they did at Blackhat

One final comment: In my opinion, this metric helps to understand how good a company is doing in fixing vulnerailities but by far not how good they are in writing secure code and having a secure design

Roger