ISS: Vulnerability counts fall in 2007; Do you buy it?

ISS: Vulnerability counts fall in 2007; Do you buy it?

Summary: IBM's Internet Security Systems is previewing its X-Force report and disclosed a notable factoid: Vulnerability disclosures fell 5.4 percent in 2007 relative to 2006.

SHARE:
TOPICS: IBM, Security
3

IBM's Internet Security Systems is previewing its X-Force report and disclosed a notable factoid: Vulnerability disclosures fell 5.4 percent in 2007 relative to 2006.

Here's the data in a chart as disclosed in the ISS blog:

iss.png

Feel safer yet? You shouldn't.

ISS says that the decline is a statistical anomaly because the growth in vulnerabilities was large in 2005 and 2006. The 2007 decline could be just a statistical correction in an uptrend. ISS also notes that "although there was a decrease in overall vulnerabilities, high-priority vulnerabilities increased by 28 percent. Researchers could simply be focusing on the sometimes more difficult, high-priority finds."

I reckon that ISS' explanations are off on all counts. Vulnerabilities aren't down--disclosure is down. So where are these vulnerabilities going? Here are three not so comforting possibilities:

  • Hackers are selling vulnerabilities instead of disclosing them;
  • Hackers are banking vulnerabilities for later;
  • Or these vulnerabilities aren't disclosed and quietly patched. If a vulnerability is never disclosed and patched on the fly would you ever notice?

In any case, there's a lot happening under this surface data. Unfortunately, it'll take a few more years to see where the vulnerability trends lie.

Topics: IBM, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Vulnerability counts mean nothing

    A program can have ONE SINGLE bug and be a hell of a lot more vulnerable than 50 programs with 10,000+ bugs each . That single bug could be an open door invitation to your computer via the web, while the 10,000+ bugs could be just internal buffer overflows that require direct access to the computer to exploit (ie: person must be sitting in front of the computer or logged as an admin).
    wackoae
    • That's just what they have found

      What about the ones they haven't found? So this year they haven't found as many big deal. That doesn't mean there are less.
      voska1
  • ISS is a joke

    We had them in to do a vulnerability assessment, and that assessment has become legendary for its ineptness - a benchmark we use to describe what we don't want from any other engagement. There were so many false positives that it was beyond belief. *Disclaimer* - this was before IBM bought them.

    I wouldn't trust anything that comes from them as far as I could throw the company as an entire entity.
    ejhonda