[ISN] Secunia vulnerability report questioned by experts

http://blogs.csoonline.com/security-industry/3082/secunia-vulnerability-report-questioned-experts By Steve Ragan Salted Hash CSO Online March 19, 2014 On Tuesday, the OSVDB project outlined various problems with Secunia’s annual vulnerability report, including instances where Secunia counted vulnerabilities multiple times, or under-reported them. The project also took issue with how Secunia classified third-party products, which the Copenhagen-based firm says are non-Microsoft programs, a definition that isn’t shared by a majority of the security community. “In the world of VDBs, we frequently refer to a third-party component a ‘library’ that is integrated into a bigger package,” the post explains. “The notion that “non-Microsoft” software is “third-party” is very weird for lack of better words, and shows the mindset and perspective of Secunia. This completely discounts users of Apple, Linux, VMs (e.g. Oracle, VMware, Citrix), and mobile devices among others. Such a Microsoft-centric report should clearly be labeled as such, not as a general vulnerability report.” The project acknowledged that their observations may be biased, as they are a direct competitor to Secunia due to the involvement of their commercial partner Risk Based Security (RBS) – but after looking at the source data, it’s hard to ignore the numbers. To begin with, when examining the opening totals from Secunia, the OSVDB project says they are “incorrect and entirely misleading.” […]