Monday, November 3, 2014

Relative Vulnerability Rating (RvR.) and WAVSEP Results Update

[For a list of the most updated open source, commercial & SAAS scan results click HERE]

The 2014 vulnerability scanner benchmark included a lot of content, but not nearly as much as I originally planned to publish.
My original aim was to add additional comparison aspects, and provide an initial formula for measuring the VALUE of vulnerability scanners, and infosec products in general.

Despite the help I got from volunteers and multiple kind souls, due to the fact that the new comparison aspects were progressing a bit slower than I hoped, I decided to release the content in February 2014, and process the rest of the data later.

Its been more than 8 month of development, and although I can't claim all the content is ready for release, a significant portion of it is -

A security-product-oriented vulnerability classification called RvR.

RvR - Relative Vulnerability Rating 

RvR includes a comprehensive collection of GENERIC application-level attack vectors (e.g. sql injection, xss, etc), gathered from every prominent resource out there, and classified based on a DETECTION vs. PREVENTION approach.

The list currently includes the incomprehensible number of 233, or to be exact, 233 generic ways to hack applications, that security products may be able to perform or prevent.

Unlike OWASP Attacks & Vulnerabilities, CWE, CAPEC, and WASC Threat Classification,
The RvR threat classification aims to provide a common ground for measuring the value of security products, starting with the security products in the application security field.

Each generic exposure in the classification is mapped to other prominent vulnerability classification lists, informative resources, videos, as well as a relative severity, measured in relation to other RvR items, aimed to classify the importance of supporting features in each product.

To make things simpler - it will enable measuring how much a security product covers in comparison to the whole collection of possible generic hacking methods, and in comparison to other products, and drill down into various quality aspects.

I invested most of last few months implementing a framework for an online website infrastructure to present the RvR and WAVSEP data, and I'm pretty close to the finish line.

The list has already been distributed to vendors that asked to view it in advance, and will be published as soon as I make some adjustments to the initial website version.

In the meantime,
I managed to update some of the comparison results with a few updated product versions,  and will try to find the time to update some more.

Vulnerability Scanner Stats (latest tested versions):