- Stefan Frei, Martin May
- Blackhat USA, Las Vegas, Aug 2-3 2006
To be able to defend against IT security attacks, one has to understand the attack patterns and henceforth the vulnerabilities of the attached devices. But, for an in-depth risk analysis, pure technical knowledge of the properties of a vulnerability is not sufficient: one has to understand how vulnerabilities, exploitation, remediation, and distribution of information thereof is handled by the industry and the networking community.
In the research, we examined how vulnerabilities are handled in large-scale by analyzing 80,000+ security advisories published since 1995. This huge amount of information enables us to identify and quantify the performance of the security and software industry. We discover trends and discuss their implications. Based on the findings, we finally propose a measure for the global risk exposure.