2
Using Vulnerability Trends to Reduce Risk and Costs

Vulnerabilities represent risk and expense to all organizations. Vendors who are serious about reducing both risk and costs for their customers focus on reducing the number of vulnerabilities in their products and work on ways to make it hard and expensive for attackers to exploit their customers, thereby driving down attackers' return on investment. Identifying the vendors and the products that have been successful in doing this can be time-consuming and difficult.

In this chapter, I will provide you with valuable background information and an in-depth analysis of how some of the industry's leaders have managed vulnerabilities in their products over the last two decades, focusing on operating systems and web browsers. I introduce a vulnerability improvement framework that can help you to identify vendors and products that have been reducing risks and costs for their customers. This data and analysis can inform your vulnerability management strategy.

Throughout this chapter, we'll cover the following topics:

• A primer on vulnerability management
• Introducing a vulnerability management improvement framework
• Examining vulnerability disclosure trends for select vendors, operating systems, and web browsers
• Guidance on vulnerability management programs

Let's begin by looking at what vulnerability management is.