Comments on: ISS on its last Legs?

By: Pete

Pete — Wed, 25 May 2005 18:08:16 +0000

Latent vulnerabilities are abundant, it is only when they get “discovered” and notify the world that the vultures start circling.

In a very specific sense, it is extremely worthwhile to perform QA and patch those applications that are important to you.

In this very general sense, this only forces everyone to focus on this particular application rather than the ones that are of most importance to the enterprise.

So the answer to your question is no, I don’t believe that unconstrained public vulnerability discovery simply to patch the holes (or gain market advantage) does anyone any good, and the costs are astronomical.

Regarding peer review and security companies playing together well… I talk to security vendors all the time. There is no love lost among them. I don’t believe they are doing this altruistically.

By: Hari Krishna

Hari Krishna — Wed, 25 May 2005 10:44:42 +0000

Dont you think its actually good for the customers who are using those products. That a competitor is finding faults pushes companies to plug these holes/whatever faster. And often, reliability on a single product is a dangerous issues in security. This kind of finding bugs might be a kind of peer review of others products, benefitting the end user most, who might not have the time nor the expertise to look so deep.

By: Axel

Axel — Thu, 03 Mar 2005 07:00:44 +0000

I believe that ISS is actually trying to change their business model from software creation to vulnerability assessment. X-Code always was doing this and since the market for IDS and IPS devices and software isn’t as hot as it used to be ISS is somewhat at a loss.

Why should they create new software products? If they don’t want to any more, they’re of course free to seek other venues.

Having said that, I do have to agree with your initial assessment. ISS reeks of a slow death.