Towards the end of the 15-page report, the authors had this to say: "The sample set size of 50 vulnerabilities is not representative and is insufficient to draw detailed or broader conclusions about vulnerabilities in general."
Yet there were many broad conclusions drawn from this sample size in the study which also listed one other limitation.
"Exploit availability does not necessarily mean active exploitation. Usually, only a subset of exploitable vulnerabilities are, for example, weaponised and automated in the form of malware, ransomware and exploit kits. A human threat actor, however, would have access to any published exploit," it said.
{loaadposition sam08}Titled "Quantifying the attacker's first-mover advantage", the study (free download after registration here) was said to have been a result of work by Tenable's newly expanded research team.
It concluded with this bit of bizspeak: "The research indicates the criticality of proactively and holistically analysing and measuring Cyber Exposure across the entire modern attack surface.
"Live visibility is not only a foundational element of cyber hygiene but also is the only way for organisations to flip the advantage to the defenders across the majority of vulnerabilities."
Update: The company later issued the following statement:
"In the report, we clarify that findings from the set of vulnerabilities in this study cannot be used to infer broader conclusions about all vulnerabilities. Our study focuses on the 50 most prevalent exploitable vulnerabilities that existed in customer environments in late 2017. Factual findings from this focused set of highly relevant vulnerabilities cannot be extrapolated to the general vulnerability population.
"Strong research will demonstrate rigour and will highlight its bounds and limitations, which is why we were transparent about our dataset and what conclusions could be drawn from the resulting data."
