Security Hype Part 2

Security threat warnings once again hit the headlines last week as Trend Micro questioned why security researchers would issue vulnerability alerts on security flaws the Tokyo-based vendor said it patched weeks earlier.

LARRY HOOPER Can be reached at (415) 947-6229 or via e-mail at lrhooper@cmp.com.

In this case, the security software vendor in November issued a patch on five vulnerabilities in its OfficeScan product that it classified as a medium-level threat.

But just last week, both Symantec's DeepSight Threat Management service and the French Security Incident Response Team (FrSIRT) issued warnings that rated the threat level of the Trend Micro flaws much higher.

So, who should you trust? That's the big question in security these days. But it brings up a host of other questions behind it—and the answers aren't always clear.

First, to be fair, none of the organizations in question have a reputation of dishonesty. But when one vendor issues a rating on its own vulnerabilities that is lower than what every other threat warning service rates them, you have to ask: Is this company downplaying its own flaws?

Of course, the other question is obvious: Is the other company hyping up the vulnerabilities to take its competitor down a notch and beef up its own reputation?

These are serious questions with serious implications, but the truth of the matter is much simpler.

No one should have to ask these questions.

There is an industry effort out there called the Common Vulnerability Scoring System (CVSS), and while many industry heavyweights are behind it, most still continue to score vulnerabilities on their own scale.

I'm not saying CVSS is the answer, but everyone needs clear information on the severity of the threats and a way to prioritize what needs to be patched immediately vs. what needs to be patched soon.

Because even with the best solution provider, it would be tough for any company to be completely up to date with all the patches to all the threats.

Despite the hype and the discrepancies, most solution providers I talk to say they are out there making sense of the hype for their customers.

But truth be told: It's a betting man's game right now. Until there is a common threat rating system that everybody agrees on and uses, there is no way to be sure.

Can you count on vulnerability reports? Let me know at (415) 947-6229 or via e-mail at lrhooper@cmp.com.