November 13, 2002
Vulnerabilities - Required Reading For Tech Vendors
The latest issue of @stake's
Secure Business Quarterly is on vulnerability disclosure.
If you work for a technology vendor of any stature you need to read this latest issue and last year's Q3 issue on application security.
My take: Major software vendors spend between $100,000 and a million dollars per patch - and that's just to post a patch to a web site.
The cost in customer time in testing and installing patches and the increased load on customer service departments takes the figures through the roof.
According to CERT 2,437 vulnerabilities were reported in 2001, up from 1,090 in 2000 and 417 in 1999. At a conservative $75k per vulnerability, security patches (assuming the vendor patched the problem) cost vendors roughly $183 million last year. Nevermind the pain felt by customers, in a vendor's reputation, and the load on service reps responding to patches breaking applications.
Note: The cost per patch data comes from my own informal survey of several of the few vendors that are savvy enough to even track it.Posted by Abner on November 13, 2002 05:42 PM | TrackBack