February 12, 2008 at 16:46IBM against foul play
Chris Rouland, one of the leaders of IBM Internet Security Systems , a search engine security and security giant at the Blue Giant, said his colleagues from other companies of the same profile intentionally hide data about vulnerabilities they found. He reinforces his findings with strange statistics revealed during the preparation of the annual X-Force report . In 2007, the report says, for the first time in 10 years, 5.4% fewer gaps in the protection of computer systems were found than in the previous one.
Rowland believes that there is a developed black market for vulnerabilities that computer security experts sell to both criminals and software authors themselves. Moreover, the goals of the latter are as clear as those of the former: no one wants to risk their reputation and does not want to draw attention to their miscalculations, preferring to fix them quietly. The high profitability of such a “business model” for research offices makes it virtually impossible to estimate the real number of holes that they find annually.
Third-party experts, however, do not understand the reasons for this unrest from the esteemed Rowland: along with a decrease in the total number of vulnerabilities, the number of critical gaps, according to the same X-Force, jumped by almost a third over the past year. And the fact of detecting and publishing a vulnerability does not at all guarantee a prompt reaction of a software manufacturer to it, which often makes the work of researchers almost pointless.
Rowland believes that there is a developed black market for vulnerabilities that computer security experts sell to both criminals and software authors themselves. Moreover, the goals of the latter are as clear as those of the former: no one wants to risk their reputation and does not want to draw attention to their miscalculations, preferring to fix them quietly. The high profitability of such a “business model” for research offices makes it virtually impossible to estimate the real number of holes that they find annually.
Third-party experts, however, do not understand the reasons for this unrest from the esteemed Rowland: along with a decrease in the total number of vulnerabilities, the number of critical gaps, according to the same X-Force, jumped by almost a third over the past year. And the fact of detecting and publishing a vulnerability does not at all guarantee a prompt reaction of a software manufacturer to it, which often makes the work of researchers almost pointless.