Buying into the Bias - Why Vulnerability Statistics Suck

Explore a critical analysis of vulnerability statistics in this 57-minute Black Hat USA 2013 conference talk. Delve into the flaws and misuses of vulnerability data from repositories like CVE and OSVDB, as presented by Brian Martin and Steve Christey. Examine how academic researchers, journalists, and vendors often misinterpret and misuse this data to draw faulty conclusions about security trends and product comparisons. Learn about the various biases and limitations inherent in vulnerability data collection and analysis. Gain insights into how to critically evaluate vulnerability studies and statistics to make more informed security decisions. Discover concrete examples of both problematic and relatively sound approaches to vulnerability analysis. Understand the complexities of vulnerability observation, cataloging, and annotation processes. Benefit from vendor-neutral suggestions for improving the industry's approach to vulnerability statistics, while also encountering a more critical perspective on current practices.

Black Hat USA 2013 - Buying into the Bias: Why Vulnerability Statistics Suck