Quinby, Kris (MED) wrote: >I am looking to compare the span time from vulnerability to patch for a few >different HTTPD servers. The vulnerabilities data base at >http://www.securityfocus.com does not list a date associated with the >solution, only the announced date. I also know that the announced date does >not necessarily coincide with the discovered date but I will take any >information I can find at this point. > >Does someone know where I can find this type of information? > It is not recent, but Jim Reavis' study from 1999 provides this kind of data http://csoinformer.com/research/solve.shtml Note that "faster" is not the only metric you care about: "correctly" also matters, as we cover in this 2002 paper: "Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16^th Systems Administration Conference (LISA 2002) <http://www.usenix.org/events/lisa02>, Philadelphia, PA, December 2002. Postscript <http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.ps.gz>. or ugly PDF <http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.pdf>. Recently, Microsoft has threatened <http://www.infoworld.com/article/03/11/11/HNmsassault_1.html> :) to repeat this study, but they do not appear to explicitly cite Reavis. Whether you buy into studies sponsored by Microsoft (with their colorful <http://www.varbusiness.com/news/breakingnews.asp?ArticleID=3784> track <http://www.securityfocus.com/columnists/89> record <http://asia.cnet.com/newstech/applications/0,39001094,39150396,00.htm>) is up to you. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Wed Nov 19 2003 - 15:08:31 PST