[ISN] Qualys vulnerability research put in peril
isn at c4i.org
Wed Jan 11 01:49:26 EST 2006
By John E. Dunn
10 January 2006
Security management vendor Qualys has denied that its innovative Laws
of Vulnerability research has been jeopardised by the sudden departure
of its key instigator, Gerhard Eschelbeck.
The company has confirmed that no individual had been appointed to
directly replicate Eschelbeck's work on the research, an analysis of
real-world vulnerabilities taken from scans of Qualys's substantial
enterprise customer base. The findings for 2005 were announced last
November at the Black Hat conference in Las Vegas.
Former company CTO and VP of engineering, Eschelbeck, announced before
Christmas that he was leaving the company he'd worked at for five
years to take up an identical position at anti-spyware vendor,
Webroot. He is considered an authority on the topic of vulnerabilities
and patching strategies.
Eschelbeck was also a key figure in the Qualys's involvement in the
Common Vulnerability Scoring System (CVSS) - an evolving standard for
assessing security risks - and in compiling the SANS Top 20, an annual
measure of security vulnerabilities.
Qualys CEO Philippe Courtot was adamant that personnel would be found
from within the company to maintain involvement in the SANS Top 20 -
and in CVSS - a standard the company was strongly committed to.
However, he confirmed that the company had not yet appointed anyone to
oversee the workload, despite appointing an interim CTO in Eschlbeck's
place. Longer term, the company might look outside Qualys itself for a
champion for the Laws analysis.
"One person can't do it all and so you will see more spokespersons,"
Eschelbeck, meanwhile, has his hands full at Webroot, as it attempts
to move from a consumer business model to one orientated towards
More information about the ISN