Google Corrects IBM's Security Math - InformationWeek
Software // Operating Systems
01:20 PM
Connect Directly

Google Corrects IBM's Security Math

IBM has fixed a security report it issued last week that misstated Google's security vulnerabilities.

Google has a considerable number of very smart people in its employ and it isn't shy about deploying its bright lights to reveal flawed criticism.

Back in 2006, when worries about click fraud seemed as if they might cause a loss in confidence in Google's search ads, the company argued convincingly that claims of rampant click fraud were based on bad statistics.

On Monday, Google struck again, challenging the accuracy of an IBM X-Force security report issued last week and the security industry's lack of transparency in how it compiles its vulnerability reports.

Conceding that there's some value in bug reports and catalogs of vulnerabilities compiled by security companies and organizations, Adam Mein of Google's security team nonetheless asserts in a blog post that much of the data in these reports is to some extent inaccurate or outdated.

Mein singles out IBM X-Force's 2010 Mid-Year Trend and Risk Report as an example for claiming that 33% of critical and high-risk bugs found in Google services during the first half of 2010 were left unpatched.

"We questioned a number of surprising findings concerning Google’s vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report’s conclusions," he wrote. "IBM worked together with us and promptly issued a correction to address the inaccuracies."

It turns out that the 33% figure was based on the belief that one of the supposedly three vulnerabilities affecting Google during the first half of 2010 remained unpatched. In fact, as Mein explains, that one item was mistakenly assumed to be a security flaw due to some confusion about the terminology used to describe it.

The issue was thought to be a stack buffer overflow (a real security risk) when it was actually a stack overflow or stack exhaustion (not in most cases a security risk). So Google actually faced two security vulnerabilities during the first half of 2010 and patched them both.

IBM's correction shows that Google did better than any of the other vendors listed in terms of promptly addressing critical security flaws.

Which company did the worst? IBM.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll