Home Security Tenable vulnerability study contradicts its own work

A vulnerability study by security outfit Tenable Research appears to discredit its own work by stating that the sample size it used for the study was not representative.

Towards the end of the 15-page report, the authors had this to say: "The sample set size of 50 vulnerabilities is not representative and is insufficient to draw detailed or broader conclusions about vulnerabilities in general."

Yet there were many broad conclusions drawn from this sample size in the study which also listed one other limitation.

"Exploit availability does not necessarily mean active exploitation. Usually, only a subset of exploitable vulnerabilities are, for example, weaponised and automated in the form of malware, ransomware and exploit kits. A human threat actor, however, would have access to any published exploit," it said.

{loaadposition sam08}Titled "Quantifying the attacker's first-mover advantage", the study (free download after registration here) was said to have been a result of work by Tenable's newly expanded research team.

It concluded with this bit of bizspeak: "The research indicates the criticality of proactively and holistically analysing and measuring Cyber Exposure across the entire modern attack surface.

"Live visibility is not only a foundational element of cyber hygiene but also is the only way for organisations to flip the advantage to the defenders across the majority of vulnerabilities."

Update: The company later issued the following statement:

"In the report, we clarify that findings from the set of vulnerabilities in this study cannot be used to infer broader conclusions about all vulnerabilities. Our study focuses on the 50 most prevalent exploitable vulnerabilities that existed in customer environments in late 2017. Factual findings from this focused set of highly relevant vulnerabilities cannot be extrapolated to the general vulnerability population.

"Strong research will demonstrate rigour and will highlight its bounds and limitations, which is why we were transparent about our dataset and what conclusions could be drawn from the resulting data."


With 50+ Speakers, 300+ senior data and analytics executives, over 3 exciting days you will indulge in all things data and analytics before leaving with strategic takeaways that will catapult you ahead on your journey

· CDAO Sydney is designed to bring together senior executives in data and analytics from progressive organisations
· Improve operations and services
· Future proof your organisation in this rapidly changing technological landscape
· CDAO Sydney 2-4 April 2019
· Don’t miss out! Register Today!
· Want to find out more? Download the Agenda



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Sponsored News