0-Day-Patch – An new Metric for Security?


The Federal Institute of Technology in Zurich released a study at Blackhat, which is definitely worth looking into.


Now, let’s be serious: They looked at a metric they call 0-Day-Patch being the number of patches a vendor is able to release at the day of the public disclosure of a new vulnerability. We could discuss again the value of this metric but it definitely shows how well responsible disclosure works for a vendor. They then took Apple and Microsoft to be compared over 6 years and We find global and vendor specific trends and measure the effectiveness of the patch development process of two major software vendors.


So, I just want to take the pictures. The following picture shows the percentage of vulnerabilities that are open for longer than a given period:


 


The second graph is the same for Apple:



The next (and last graph) is the number of unpatched vulnerabilities at any given time:



What I like here is, that it seems that we are able to keep the number consistently below 20 with a constant average.


Last but not least, the most important thing: this is an independent study!


I guess, you want to read the whole document. There you go: 0-Day Patch – Exposing Vendors (In)security Performance and here is the presentation they did at Blackhat


One final comment: In my opinion, this metric helps to understand how good a company is doing in fixing vulnerailities but by far not how good they are in writing secure code and having a secure design


Roger

Comments (2)

  1. Anonymous says:

    As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this

  2. Anonymous says:

    As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this