Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

0-Day-Patch – An new Metric for Security?

0-Day-Patch – An new Metric for Security?

  • Comments 2
  • Likes

The Federal Institute of Technology in Zurich released a study at Blackhat, which is definitely worth looking into.

Now, let's be serious: They looked at a metric they call 0-Day-Patch being the number of patches a vendor is able to release at the day of the public disclosure of a new vulnerability. We could discuss again the value of this metric but it definitely shows how well responsible disclosure works for a vendor. They then took Apple and Microsoft to be compared over 6 years and We find global and vendor specific trends and measure the effectiveness of the patch development process of two major software vendors.

So, I just want to take the pictures. The following picture shows the percentage of vulnerabilities that are open for longer than a given period:

 

The second graph is the same for Apple:

The next (and last graph) is the number of unpatched vulnerabilities at any given time:

What I like here is, that it seems that we are able to keep the number consistently below 20 with a constant average.

Last but not least, the most important thing: this is an independent study!

I guess, you want to read the whole document. There you go: 0-Day Patch - Exposing Vendors (In)security Performance and here is the presentation they did at Blackhat

One final comment: In my opinion, this metric helps to understand how good a company is doing in fixing vulnerailities but by far not how good they are in writing secure code and having a secure design

Roger

Comments
  • As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this

  • As you may know, we announced version four of the Microsoft Security Intelligence Report earlier this

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment