ISS outs Trend Micro

IBM / ISS released (partially redacted) security advisories against Trend Micro. I think John Pescatore got it right in this article:

"But in some ways, Pescatore said, X-Force broke an unspoken rule. "They definitely compete with each other," he said, referring to IBM's Internet Security Systems and Trend Micro. "Does the blog post warn users of the danger? That's what the vulnerability advisories are for. Would X-Force do the same thing if it found bugs in IBM's WebSphere? If IBM didn't patch fast enough or the patches didn't work too well, would they be blogging that, 'We've had it with IBM'?"

These kinds of competitive rivalries really bring out the worst in security companies and highlight the house of cards that is vulnerability discovery and disclosure. Perhaps more importantly, you'd think ISS would act differently given its experience with the Witty worm and its somewhat strange circumstances... although they may hold the record for the number of vulnerabilities found in competitor products (hmm, maybe I am confusing cause and effect here).

In any case, I doubt it would pass my litmus test. I really don't understand why the profession facilitates arbitrary target practice. Pescatore cuts to the chase with his IBM point, and I am tempted to challenge for ISS to out IBM sometime soon, except that it would increase risk. In any case, IBM would be a target-rich environment in an arbitrary world.

Is Microsoft's SDL Working?

I have been critical in the past of Microsoft's supporting evidence for its argument that its Security Development Lifecycle was working. Mind you, I generally assume that it is working, but am just not swayed by the data. So imagine my interest when I came across this tidbit on page 28 of its 150-page Security Intelligence Report for the first half of 2008:

"In general, trends for Microsoft vulnerability disclosures have mirrored those for the industry as
a whole, though on a much smaller scale."

So, if Microsoft is trending consistent with everyone else, then it is more difficult to see the benefit of SDL... This is one of the problems with using public disclosure data - it is inherently fickle and can't tell you nearly as much as, say, internal QA data.

I assume there is a different explanation since I haven't waded through the entire report yet. In any case, it seemed worth mentioning.

WabiSabiLabi Update

This just in - WabiSabiLabi may close its doors. Here are some tidbits:

"...In the end, security researchers recognised the value of having an auction site like WabiSabiLabi, but very few buyers proved willing to use the site, said Roberto Preatoni, an Italian security consultant and WabiSabiLabi's director of strategy.

"It didn't work very well. The marketplace was too far ahead of its time," he said, adding that a final decision on the fate of the marketplace has yet to be reached."

A little over a year ago, as WabiSabiLabi was getting going, I made some predictions:

1. No more than 100 vulnerabilities will have successfully been auctioned off at the website by the end of the year;
2. Maybe 30-40 people will have participated in the auctions;
3. The site will essentially go dormant or cease to exist by the end of 2008.
4. If it doesn't go dormant, it will face at least one legal challenge by the end of 2009.

I just visited the site and the only thing I can see is 34 vulnerabilities in the "marketplace history" section (and nothing active). I can't really tell whether this is a complete set of all vulnerabilities offered, though my guess is that it isn't. Can anyone clarify?

Also, does anyone have an alternate explanation for WSL's pending demise other than it being "ahead of its time"?