[Owasp-topten] 2010 RC1 - Sources of Stats

Steven M. Christey coley at linus.mitre.org
Mon Dec 28 13:50:19 EST 2009


On Mon, 28 Dec 2009, Christian Heinrich wrote:

> For the MITRE statistics, is the CWE Vulnerability Type Distributions
> the sample i.e. http://cwe.mitre.org/documents/vuln-trends/index.html)
> or do different statistics constitute their sample

I gave Dave updated information through 2008; this is for all 
currently-published CVEs, and it uses an extended "flaw type" taxonomy in 
comparison to what was used in 2006/2007 (e.g., unrestricted file upload 
and open redirects were barely on the radar in 2006).

We have not publicly released an updated trends document, although some 
day I hope to (sigh, too much going on, and I want the data to be 
cleaner.)

CVE draws from various vuln DBs like Secunia, mailing lists like Bugtraq, 
sites like milw0rm (RIP), and major vendor advisories like Microsoft, 
Cisco, Red Hat, etc.  But, due to the nature of disclosure practices these 
days, vulnerabilities in major vendor software probably only cover about 
25% or less of all CVEs; the remainder are "mom-and-pop" applications, 
third-party modules for frameworks such as Joomla and Drupal, etc.  As 
such, CVE-based data is weighted more heavily to applications that are NOT 
developed with the backing of extensive testing processes and secure 
development teams.

- Steve


More information about the Owasp-topten mailing list