Number of security flaws nearer to 140,000
By Rene Millman,
While the number of reported security vulnerabilities was around 7,200 last year, the actual figure could be as high as 140,000, according to an expert.
Gunter Ollmann, director of security strategy at IBM's security subsidiary ISS, said that while 7,247 flaws were publicly disclosed in 2006 and over 2,500 were discovered so far this year, many more will escape the attention of most of us.
Ollmann reckoned that 125,000 flaws per year never saw the light of day as they were found by penetration testers working under contract to organisations. These organisations then claimed ownership of vulnerabilities while working to fix the bugs.
"From my own experience, I would say vulnerabilities discovered under contract is probably the biggest catchall for undisclosed vulnerabilities by way of volume," he said.
He said he would estimate that an average consulting penetration tester would uncover five to ten new flaws per day when assessing applications. These were exploits found in web-based applications, competitive reviews of compiled business applications, custom deployment of mainstream applications, or even in-house developed software.
"If you were to include a typical web-application (non-financial - because financial web applications are 'usually' more secure than other categories), then the same consultant could uncover 40 plus new vulnerabilities in a single day - mainly due to lots of pages with submission forms suffering from the same types/classes of programming flaws," said Ollmann.
He said that in some of the larger engagements he has worked on, a team of four working for five days have uncovered 600 vulnerabilities in a single commercial application.
He said that there were around 5,000 security researchers worldwide working under contract, performing penetration testing and vulnerability discovery. Assuming that they worked 150 days per year and found five vulnerabilities a day, this would result in 3,750,000 flaws being discovered. Ollmann said that 90 per cent these would be duplicates, bringing the total nearer to 125,000 per year.
Another 7,000 flaws would be either discovered internally within an organisation, purchased from security researchers, too small to be of interest to bug hunters or written in languages other than English.
"Summing it all up, then we're probably looking at around 132,115 non-public vulnerabilities for last year - making a grand total of 139,362 new vulnerability discoveries (give or take quite a few)," said Ollmann.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
What is your password worth?
Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.
- Macs under attack?
- Intel: security inside
- Are you spending too much on IT security?
- Does the government want to snoop on your data?
- Eurocrats versus the cyber criminals
- The truth about spam
- Google and privacy: What’s the problem?
- Q&A: Symantec’s CISO on the source code hack
- RSA: Back from the breach?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- IBM bans use of Siri on iPhones
- Apple iPad 3 vs iPad 2 head-to-head review
- Lenovo ThinkPad X1 Carbon Ultrabook review : First look
- Chromebooks: What's gone wrong?
- HP plans massive job cuts
- Google: Government controls are the internet's biggest threat
- Macs and Android under malware threat
- Sony Vaio T13 Ultrabook review: First look
- RIM loses its head of sales
- ARM-based Windows 8 tablets facing delays
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
