IBM: Public vulnerabilities are tip of the iceberg
IBM's Internet Security Systems division has warned that there is a "colossal difference" between the number of publicly disclosed security vulnerabilities and the number of flaws that are discovered but not publicly disclosed.
Gunter Ollmann, Internet Security Systems' director of security strategy, wrote in his blog that although ISS researchers had analysed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new security vulnerabilities found in code could be as high as 139,362 per year.
Ollmann arrived at this estimate by taking into account vulnerabilities that have been disclosed to a software vendor and are currently undergoing remediation, and vulnerabilities discovered internally by a company and patched silently.