« A Dose of Schneier Magic | Main | Absence of evidence... »

Back of the Envelope Math - Undercover Vulnerabilities

Assumptions:

  • [A1] Schneier says: "They find, on average, one security flaw per 1,000 lines of code." Update: I can't substantiate the number but if memory serves me, 1/1k is a common rule of thumb for all defects. Also, I think the numbers here are more likely - around 1/10k. I will use this number instead.
  • [A2] Tippett says: "Only 3 percent of the vulnerabilities that are discovered are ever exploited."
  • [A3] The National Vulnerability Database shows 29,360 vulnerabilities found, ever (I suppose).
  • [A4] Spire Security (i.e. me) lists 20 total vulnerabilities discovered via exploit. (undercover exploits)
  • [A5] Spire Security (yup, me again) estimates there are 3 trillion lines of code in the world, perhaps 240 billion "active" lines of code.

Calculations:

  • [C6] 240,000,000,000 / 10,000 = 24 million vulnerabilities in existence. [A5]/[A1]
  • [C7] 30k / 24m = .125% vulns found (that's 99.875% of vulns undisclosed). [A3]/[C6]
  • [C8] 30,000 * 3% = 900 vulnerabilities actively exploited (can this be right?) [A3]/[A2]
  • [C9] 900:20 = 45 to 1 odds that an exploited vulnerability will come from the pool of known vulns. [C8]/[A4]

etc.

Update: I've had some feedback that suggests [A3] NVD numbers may be off by as much as a factor of 50 and that my list of 20 undercover exploits [A4] is "off by half" which I don't understand but will use 100 to be on the safe side. Here are the calculations in that case ([A3] = 1,500,000; [A4]=100):

 

  • [C6] 240,000,000,000 / 10,000 = 24 million vulnerabilities in existence. [A5]/[A1]
  • [C7] 1.5m / 24m = 6.25% vulns found (that's 93.75% of vulns undisclosed). [A3]/[C6]
  • [C8] 1.5m * 3% = 45,000 vulnerabilities actively exploited [A3]/[A2]
  • [C9] 45,000:100 = 450 to 1 odds that an exploited vulnerability will come from the pool of known vulns. [C8]/[A4]

February 08, 2008 in Metrics, Vulnerability Management |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345207f669e200e5505db62f8833

Listed below are links to weblogs that reference Back of the Envelope Math - Undercover Vulnerabilities:

Comments

I see the logic, but the conclusion "45 to 1 odds that an exploited vulnerability will come from the pool of known vulns" isn't passing the "smell test" for me.

Posted by: Alex | February 08, 2008 at 11:43 AM

@Alex -

Well, if you thought the logic was off, we could at least discuss that. I am not all that anxious to discuss your sense of smell ;-).

Posted by: Pete | February 13, 2008 at 09:52 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment