November 13, 2002

Vulnerabilities - Required Reading For Tech Vendors

The latest issue of @stake's
Secure Business Quarterly is on vulnerability disclosure.

If you work for a technology vendor of any stature you need to read this latest issue and last year's Q3 issue on application security.

My take: Major software vendors spend between $100,000 and a million dollars per patch - and that's just to post a patch to a web site.

The cost in customer time in testing and installing patches and the increased load on customer service departments takes the figures through the roof.

According to CERT 2,437 vulnerabilities were reported in 2001, up from 1,090 in 2000 and 417 in 1999. At a conservative $75k per vulnerability, security patches (assuming the vendor patched the problem) cost vendors roughly $183 million last year. Nevermind the pain felt by customers, in a vendor's reputation, and the load on service reps responding to patches breaking applications.

Note: The cost per patch data comes from my own informal survey of several of the few vendors that are savvy enough to even track it.

Posted by Abner on November 13, 2002 05:42 PM | TrackBack
Comments ARE BROKEN Send email instead - Thanks!

Recent Entries
iPhone's SIM Locks: Hardware vs. Software vs. Lawyers
Even (or especially) contests could use a security review
Vendors Responses: Voting Machines and the Pwnie Awards
Dude "Security Rocks"
iPhone Wi-Fi Vulnerability
Harry Potter Security
iPhone Hacking & Fustrations
Let the iPhone Hacking Begin
Geer heads to Washington, Again
This Just In: DRM still doesn't work
Phishing meets Internet Advertising
How long to unlock the iPhone Operating System?
Predictive Markets For Politics
The Irony of Phone Security Google Ads
Why Biometric Fingerprint Readers Are A Waste
How to Blag an Interview
Yet another Boston marketing flub
MAC vs. Vista Security
The latest in physical security
Data Loss Archive
Guerrilla Marketing Backfires in Boston
NY Times on the "Market" For Software Vulnerabilities
Not marketing security, marketing *during* security