Clear Insights - Security News You Can Use

Top Vuln Lists – To be or not to be…

This post was written by Rick B. on January 30, 2009
Posted Under: Opinion

Ever since the “2009 CWE/SANS Top 25 Most Dangerous Programming Errors” list was posted, there has been a lot of banter back and forth on the value of these types of lists.  Having worked in the security consulting business now for over 10 years, I can say definitively that I value this list and others like it.

Through my years in this business I can honestly say that the most frequent question that all executives ask upon completion of an assessment is “how do I compare to my peers?”  This typically results in a lot of tap dancing trying to explain how every assessment is unique, and that it is very difficult to compare results of one assessment to another…but bottom line is that every C-Level Executive that I’ve had the pleasure of presenting to does not care about any of my excuses or lame explanations.  What they want is something that they can wrap their arms around, and most importantly, something that they can measure themselves and their staff against.  Ultimately they know that if they can’t measure it, they can’t really hold their staff accountable for improvements.

Now some will say that this only leads to fixing the holes on these lists so that they “look good” during an assessment.  I would probably agree with that statement if the assessor only tested for those problems during an assessment.  In reality, what we are finding during all of our assessments is that most customers still don’t have the major issues identified in these lists fixed even though they have received sooo much attention.   So, to all those that believe that these lists are worthless because it is assumed that everyone will have these issues fixed already, to me they are just not living in reality or are completely out of touch with their customers.  Here at Clear Skies we have developed a very unique way to leverage these lists to give our customers what they are asking for – a way to compare them to their peers and provide them a method to track their progress from one assessment to the next.  And for that reason alone, I welcome the Top Vuln Lists and hope that the community at large continues to embrace them.

Tags: ,

Comments are closed.

Next Post:
Previous Post:
   
   


Home | Blog | Company | Services | Resources | Contact Us | Request A Quote

Copyright © 2009 Clear Skies Security, All Rights Reserved.