IBM's Internet Security Systems division has warned that there is a "colossal difference" between the number of publicly disclosed security vulnerabilities and the number of flaws that are discovered but not publicly disclosed.
Gunter Ollmann, Internet Security Systems' director of security strategy, wrote in his blog that although ISS researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new security vulnerabilities found in code could be as high as 139,362 per year.
Ollmann arrived at this estimate by taking into account vulnerabilities that have been disclosed to a software vendor and are currently undergoing remediation, and vulnerabilities discovered internally by a company and patched silently.
He added that zero-day vulnerabilities may have been purchased by organizations from security researchers, and are then released under nondisclosure agreements to those organizations' customers. Other organizations and hackers also stealthily use zero-day vulnerabilities to produce malicious software, according to Ollmann.
Ollmann wrote that the number of vulnerabilities increases to a "colossal" total if you include those discovered under contract with a security service (through, for example, penetration testing), plus vulnerabilities discovered by researchers that are deemed "too lame" to be disclosed to the company, and vulnerabilities that affect non-English language software that, subsequently, can't be understood by some analysts.
"What (Ollmann) is classing as new and unknown vulnerabilities are really processes by which they become known," said Greg Day, U.K. analyst for security firm McAfee. Day added that while penetration testing does reveal vulnerabilities, these are never made public and are patched internally, reducing the risk of an exploit.
"IBM ISS (is) likely being conservative with (139,362) given how much in-house software never gets tested," Buss told ZDNet. "In my view, the number is probably way higher than that."
McAfee's Day said he wouldn't like to put a figure on the number of undisclosed vulnerabilities. "The simple reality is there's so much code--in applications, in systems and infrastructures--there's a huge potential to be capped or tested. I wouldn't like to say whether (139,362) is high or low."
The two telecom carriers will carry a next-generation iPad running on the fast, next-generation wireless technology, sources tell The Wall Street Journal.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
Hamza Kashgari's tweets of an imaginary conversation with the Prophet Mohammad are viewed as blasphemous by the Saudi Arabian government. Now he faces trial with a possible death sentence.
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Join the conversation