IBM against foul play
Chris Rowland (Chris Rouland), one of the leaders of IBM Internet Security Systems , a division of the Blue Giant engaged in the search and fight against threats to information security, said that his colleagues from other companies of the same profile deliberately hide information about the vulnerabilities they found. He reinforces his conclusions with strange statistics that emerged during the preparation of the annual report of X-Force . In 2007, the report says, for the first time in 10 years, there were found 5.4% fewer gaps in the protection of computer systems than in the previous one.
Rowland believes that there is a developed black market for vulnerabilities that computer security experts sell to both criminals and software authors themselves. And the goals of the latter are as clear as the first: no one wants to risk their reputation and does not want to draw attention to their miscalculations, preferring to correct them quietly. The high profitability of such a “business model” for research firms makes it almost impossible to estimate the real number of holes that they find annually.
Third-party experts, however, do not understand the reasons for such unrest on the part of esteemed Rowland: along with a decrease in the total number of vulnerabilities, the number of critical gaps, according to the same X-Force, jumped by almost a third over the past year. And the fact of detecting and publishing vulnerabilities does not guarantee the prompt response of the software vendor to it, which often makes the work of researchers almost meaningless.
Rowland believes that there is a developed black market for vulnerabilities that computer security experts sell to both criminals and software authors themselves. And the goals of the latter are as clear as the first: no one wants to risk their reputation and does not want to draw attention to their miscalculations, preferring to correct them quietly. The high profitability of such a “business model” for research firms makes it almost impossible to estimate the real number of holes that they find annually.
Third-party experts, however, do not understand the reasons for such unrest on the part of esteemed Rowland: along with a decrease in the total number of vulnerabilities, the number of critical gaps, according to the same X-Force, jumped by almost a third over the past year. And the fact of detecting and publishing vulnerabilities does not guarantee the prompt response of the software vendor to it, which often makes the work of researchers almost meaningless.
')
Source: https://habr.com/ru/post/20176/
All Articles