Home Security Tenable vulnerability study contradicts its own work

A vulnerability study by security outfit Tenable Research appears to discredit its own work by stating that the sample size it used for the study was not representative.

Towards the end of the 15-page report, the authors had this to say: "The sample set size of 50 vulnerabilities is not representative and is insufficient to draw detailed or broader conclusions about vulnerabilities in general."

Yet there were many broad conclusions drawn from this sample size in the study which also listed one other limitation.

"Exploit availability does not necessarily mean active exploitation. Usually, only a subset of exploitable vulnerabilities are, for example, weaponised and automated in the form of malware, ransomware and exploit kits. A human threat actor, however, would have access to any published exploit," it said.

{loaadposition sam08}Titled "Quantifying the attacker's first-mover advantage", the study (free download after registration here) was said to have been a result of work by Tenable's newly expanded research team.

It concluded with this bit of bizspeak: "The research indicates the criticality of proactively and holistically analysing and measuring Cyber Exposure across the entire modern attack surface.

"Live visibility is not only a foundational element of cyber hygiene but also is the only way for organisations to flip the advantage to the defenders across the majority of vulnerabilities."

Update: The company later issued the following statement:

"In the report, we clarify that findings from the set of vulnerabilities in this study cannot be used to infer broader conclusions about all vulnerabilities. Our study focuses on the 50 most prevalent exploitable vulnerabilities that existed in customer environments in late 2017. Factual findings from this focused set of highly relevant vulnerabilities cannot be extrapolated to the general vulnerability population.

"Strong research will demonstrate rigour and will highlight its bounds and limitations, which is why we were transparent about our dataset and what conclusions could be drawn from the resulting data."


With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Sponsored News