X hits on this document

PDF document

Symantec enterpriSe Security - page 89 / 97





89 / 97

Symantec Global internet Security threat report

Appendix C—Vulnerability Trends Methodologies

Symantec operates one of the most popular forums for the disclosure and discussion of vulnerabilities on the internet, the Bugtraq™ mailing list,223 which has approximately 50,000 direct subscribers who contribute, receive, and discuss vulnerability research on a daily basis. Symantec also maintains one of the most comprehensive vulnerability databases, currently consisting of over 35,000 vulnerabilities (spanning more than two decades) affecting more than 80,000 technologies from over 11,000 vendors.

Vulnerability classifications

Following the discovery and/or disclosure of a new vulnerability, Symantec analysts gather all relevant characteristics of the new vulnerability and create an alert. this alert describes important traits of the vulnerability, such as the severity, ease of exploitation, and a list of affected products. these traits are subsequently used both directly and indirectly for this analysis.

Vulnerability types

After discovering a new vulnerability, Symantec threat analysts classify the vulnerability into one of 12 possible categories based on the available information. these categories focus on defining the core cause of the vulnerability, as opposed to classifying the vulnerability merely by its effect.

the classification system is derived from the academic taxonomy presented by taimur Aslam, et al

  • (1996)

    ,224 which provides a full description of the possible values below:

    • Boundary condition error

    • Access validation error

    • Origin validation error

    • input validation error

    • Failure to handle exceptional conditions

    • race condition error

    • Serialization error

    • Atomicity error

    • Environment error

    • Configuration error

    • Design error

Web browser vulnerabilities

this metric compares vulnerability data for major Web browsers, namely: Google Chrome, Microsoft internet Explorer, Mozilla Firefox, Opera, and Apple Safari. However, in assessing the comparative data, it should be noted that for this report the total number of vulnerabilities in these Web browsers is computed, including both vendor confirmed and non-vendor confirmed vulnerabilities.

223 224

the Bugtraq mailing list is hosted by SecurityFocus (http://www.securityfocus.com). Archives are available at http://www.securityfocus.com/archive/1 “Use of a taxonomy of Security Faults”: http://ftp.cerias.purdue.edu/pub/papers/taimur-aslam/aslam-krsul-spaf-taxonomy.pdf


Document info
Document views392
Page views392
Page last viewedMon Jan 23 02:55:00 UTC 2017