IBM: Public vulnerabilities are tip of the iceberg

But security experts point out that nondisclosure of flaws doesn't necessarily increase security risk.

Tom Espiner Special to CNET News
2 min read
IBM's Internet Security Systems division has warned that there is a "colossal difference" between the number of publicly disclosed security vulnerabilities and the number of flaws that are discovered but not publicly disclosed.

Gunter Ollmann, Internet Security Systems' director of security strategy, wrote in his blog that although ISS researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new security vulnerabilities found in code could be as high as 139,362 per year.

Ollmann arrived at this estimate by taking into account vulnerabilities that have been disclosed to a software vendor and are currently undergoing remediation, and vulnerabilities discovered internally by a company and patched silently.

He added that zero-day vulnerabilities may have been purchased by organizations from security researchers, and are then released under nondisclosure agreements to those organizations' customers. Other organizations and hackers also stealthily use zero-day vulnerabilities to produce malicious software, according to Ollmann.

Ollmann wrote that the number of vulnerabilities increases to a "colossal" total if you include those discovered under contract with a security service (through, for example, penetration testing), plus vulnerabilities discovered by researchers that are deemed "too lame" to be disclosed to the company, and vulnerabilities that affect non-English language software that, subsequently, can't be understood by some analysts.

However, some security experts questioned Ollmann's definition of known and unknown vulnerabilities.

"What (Ollmann) is classing as new and unknown vulnerabilities are really processes by which they become known," said Greg Day, U.K. analyst for security firm McAfee. Day added that while penetration testing does reveal vulnerabilities, these are never made public and are patched internally, reducing the risk of an exploit.

Andy Buss, senior analyst for analysis firm Canalys, pointed out that many internal systems weren't directly exposed to the Internet, and said the risk stated by ISS needed to be "taken with a pinch of salt." However, he added that ISS's estimate of the number of undiscovered vulnerabilities was "conservative."

"IBM ISS (is) likely being conservative with (139,362) given how much in-house software never gets tested," Buss told ZDNet. "In my view, the number is probably way higher than that."

McAfee's Day said he wouldn't like to put a figure on the number of undisclosed vulnerabilities. "The simple reality is there's so much code--in applications, in systems and infrastructures--there's a huge potential to be capped or tested. I wouldn't like to say whether (139,362) is high or low."

Tom Espiner of ZDNet UK reported from London.