By Stefan Frei
Security vulnerabilities in software represent a particular problematic risk to private and business users alike. However, in the software industry we still lack coherent, standardized, and scheduled reporting of important security parameters for software programs. In the finance industry, for example, key performance parameters are reported yearly or quarterly to consistently provide interested parties, and the public, with relevant information for decision-making and risk assessment.
We therefore made a new initiative to address this current lack of relevant security information in a standardized and scheduled format, namely the Secunia Security Factsheets (http://secunia.com/factsheets).
In a single document a Secunia Security Factsheet presents important security information for a given program in a consistent and standardized format. The factsheets go well beyond simple vulnerability counts by analyzing the kinds and number of vulnerabilities paired with information about the software vendors' ability to roll out security patches. The information is based on Secunia's Vulnerability Intelligence database and analysis of Secunia Research.
The factsheets are released quarterly and provide a number of key security parameters in a year-on-year (YoY) comparison, such as ‘the number of advisories of the two recent 12 months periods', Break-down by attack vector in the number of Secunia Advisories', and ‘classification of the impact of successful exploitation on the affected system', among others. This information will enable us to answer questions that would otherwise require extensive manual data mining.
Initially we will publish the factsheets for more than a dozen major programs, as of Q3 2010. However, we will continue to extend the range of programs covered, as well as develop the factsheets further, based on customer and community feedback - so stay tuned!
You can submit your input by sending an e-mail to: firstname.lastname@example.org.
I hope that the quarterly Secunia Security Factsheets will raise the awareness on the evolution of security threats, support you in your daily work, and help identifying new trends at an early stage.
Research Analyst Director