“Security, perception, reality. What security professional hasn’t struggled with the gaps between those three things? Is there anything worse for security than a false sense of security?” And part II.
Examining Secunia Unpatched Warnings
Submitted by Ricus 2007-01-18 Privacy, Security 7 Comments
I was very disappointed with this article as it seems to demonstrate the typical atittude of lazy reporting often seen in IT blogs posing as journalism.
Part one disparaged Secunia’s reporting of vulnerabilites asking the reader to return later for the evidence. Part one seemed like little more than an advertisement for part two.
While promised that part two would “explore methods for getting an accurate view of publicly disclosed, but unpatched vulnerabilities in products on any given day or over periods of time”, I found no such exploration. I did find another adverisment for “a paper” that is being written.
However, the element that most annoyed me was the lack of evidence to support the accusations regarding Secunia’s database. Rather than evaluating a large number of possible vulnerabilities that may have effected a number of different products and compairing them against the information provided by Secunia, one product and one exploit is examined. The result of this examination is that the product *might* have been effected by it. In other words, the author has no evidence whatsoever.
What I find most frustrating is that the author may very well be correct in his assumptions. He failed, however, to do the necessary work to prove (or even present a reasonable level of supporting information to back up) his claims.