Explore a critical analysis of vulnerability statistics in this 57-minute Black Hat USA 2013 conference talk. Delve into the flaws and misuses of vulnerability data from repositories like CVE and OSVDB, as presented by Brian Martin and Steve Christey. Examine how academic researchers, journalists, and vendors often misinterpret and misuse this data to draw faulty conclusions about security trends and product comparisons. Learn about the various biases and limitations inherent in vulnerability data collection and analysis. Gain insights into how to critically evaluate vulnerability studies and statistics to make more informed security decisions. Discover concrete examples of both problematic and relatively sound approaches to vulnerability analysis. Understand the complexities of vulnerability observation, cataloging, and annotation processes. Benefit from vendor-neutral suggestions for improving the industry's approach to vulnerability statistics, while also encountering a more critical perspective on current practices.
Buying into the Bias - Why Vulnerability Statistics Suck
Overview
Syllabus
Black Hat USA 2013 - Buying into the Bias: Why Vulnerability Statistics Suck
Taught by
Black Hat
Related Courses
-
A Proposed Process for Handling Vulnerability Information
-
Hard-core Web Defacement Statistics, Trends, and Analysis
-
Dragon Tails - Measuring Dependence on International Vulnerability Research
-
Stranger Danger - What Is The Risk From 3rd Party Libraries
-
The Hunt for Major League IoT-ICS Threats - A Deep Dive into IoT Threat Terrain
