Friday, March 29, 2013
response to metrics questions
I hate metrics because most of the time the people in upper management who use them have no idea what the context behind them is.
This was the latest request I got:
What % of exploits use buffer overflow
What % use ROP
What % use stack pivoting techniques in the case the overflowed buffer isn't large enough to hold the entire "ROP sled" [I'm sure they meant NOP sled.]
Does anyone have time to actually keep track that? Are we talking about worldwide?
Sourcefire and Symantec might:
Their justification for this information: "I have a meeting I have to attend."
My thoughts: "Do they know the difference between vulnerability and exploit? Probably not."
My response: "Google Metasploit capabilities." LMAO