0-Day-Patch – An new Metric for Security?
The Federal Institute of Technology in Zurich released a study at Blackhat, which is definitely worth looking into.
Now, let's be serious: They looked at a metric they call 0-Day-Patch being the number of patches a vendor is able to release at the day of the public disclosure of a new vulnerability. We could discuss again the value of this metric but it definitely shows how well responsible disclosure works for a vendor. They then took Apple and Microsoft to be compared over 6 years and We find global and vendor specific trends and measure the effectiveness of the patch development process of two major software vendors.
So, I just want to take the pictures. The following picture shows the percentage of vulnerabilities that are open for longer than a given period:
The second graph is the same for Apple:
The next (and last graph) is the number of unpatched vulnerabilities at any given time:
What I like here is, that it seems that we are able to keep the number consistently below 20 with a constant average.
Last but not least, the most important thing: this is an independent study!
I guess, you want to read the whole document. There you go: 0-Day Patch - Exposing Vendors (In)security Performance and here is the presentation they did at Blackhat
One final comment: In my opinion, this metric helps to understand how good a company is doing in fixing vulnerailities but by far not how good they are in writing secure code and having a secure design
Roger