On CNET: Need holiday gift ideas?
BNET Business Network:
BNET
TechRepublic
ZDNet

February 5th, 2008

ISS: Vulnerability counts fall in 2007; Do you buy it?

Posted by Larry Dignan @ 11:32 am

Categories: Exploit code, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Vulnerability, IBM Corp., ISS, Security, Larry Dignan

IBM’s Internet Security Systems is previewing its X-Force report and disclosed a notable factoid: Vulnerability disclosures fell 5.4 percent in 2007 relative to 2006.

Here’s the data in a chart as disclosed in the ISS blog:

iss.png

Feel safer yet? You shouldn’t.

ISS says that the decline is a statistical anomaly because the growth in vulnerabilities was large in 2005 and 2006. The 2007 decline could be just a statistical correction in an uptrend. ISS also notes that “although there was a decrease in overall vulnerabilities, high-priority vulnerabilities increased by 28 percent. Researchers could simply be focusing on the sometimes more difficult, high-priority finds.”

I reckon that ISS’ explanations are off on all counts. Vulnerabilities aren’t down–disclosure is down. So where are these vulnerabilities going? Here are three not so comforting possibilities:

  • Hackers are selling vulnerabilities instead of disclosing them;
  • Hackers are banking vulnerabilities for later;
  • Or these vulnerabilities aren’t disclosed and quietly patched. If a vulnerability is never disclosed and patched on the fly would you ever notice?

In any case, there’s a lot happening under this surface data. Unfortunately, it’ll take a few more years to see where the vulnerability trends lie.

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 3 Talkback(s)
That's just what they have found
What about the ones they haven't found? So this year they haven't found as many big deal. That doesn't mean there are less.... (Read the rest)
Posted by: voska1 Posted on: 02/06/08 You are currently: a Guest | | Terms of Use
Vulnerability counts mean nothing  wackoae | 02/05/08
That's just what they have found  voska1 | 02/06/08
ISS is a joke  ejhonda | 02/06/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here