|
|
tags:
all,
apache,
apachecon,
apacheweek,
bryce,
cve,
fedora,
fudcon,
geocaching,
gps,
ha,
jabber,
metrics,
microsoft,
nashville,
north carolina,
oscon,
red hat summit,
security,
trips
|
|
|
mark :: blog
Earlier this month, Steve Christey posted a draft report of the Vulnerability
Type Distributions in CVE. The report notices, amongst other things, some differences between open and closed source vendors. I thought it would be more interesting to focus just on one of our released distributions to see if it made a difference to the trends. Steve kindly provided some reports based on a list of CVE names I gave him, and this led to the analysis and these two graphs.
First, the Vulnerability Type Distribution graph. This is not really a big surprise, the most common vulnerabilities we fix are buffer overflows.
Technologies such as ExecShield (PIE, support for NX, FORTIFY_SOURCE
and so on) were designed specifically to reduce the risk of being able
to exploit this flaw type. Secondly, compared to the industry as a whole we fix far less web application flaws
such as cross-site scripting or SQL injection. This result is to be expected as most of these are in PHP web applications we don't ship in our distributions.
Created: 24 Oct 2006
Tagged as: cve, metrics, red hat, security
0 comments
(new comments disabled)
|
|
