Why? Why do I get sucked in?

First of all, let me start by saying that Sam the Eagle has nothing to do with what I’m about to say – I just liked the awesome picture, ergo I’m linking to it..

Now that that’s out of the way, let’s move on to something less interesting than Sam the Eagle. So, everyone keeps talking about the IBM X-Force 2008 trend report. Being a true lemming at heart, I bought in to all the continuous hype and went to go check out all the awesomeness. After all, 50 percent of vulnerabilities go unpatched? Wow! 70 percent of web applications have never been patched? Holy jiminy! Could it really be that bad?

So then I went and read the report. And allow me to say that the press is (as usual) slightly hyperbolic about the reporting of what’s in there. Maybe because the IBM press release was also slightly hyperbolic. Take for example, the case of “50 percent of vulnerabilities not getting patched.” It turns out, that’s not the whole story. Going to the IBM report:

At the end of 2008, 53 percent of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability. Vendors do not always go back to patch previous year