Cisco's chief security officer John Stewart has defended the company's recent security alerts, claiming that the holes are entirely down to its in-depth review of its products.
A recent spate of vulnerabilities discovered in Cisco's pervasive Internetwork Operating System (IOS) and the availability of its source code have not detracted from the company's mission to keep end users informed of security issues, claimed Stewart.
Instead, Stewart defended the increased number of recent advisories for Cisco's software, saying: "We are not just running the network anymore. As the company grew there was a correlation between the number of security advisories and the products we offer," he said, adding any assumption that more complexity will lead to more problems is unacceptable.
Why so many specific IOS vulnerabilities? Stewart said this is because Cisco is investing so much money finding vulnerabilities before they are exploited. "Now that customers don't want the network to go down, we are spending more dollars to ensure its integrity is upheld," he said. "The exploits have been sensationalised and such attacks are possible on any operating system not just ours."
Regarding the black market availability of the IOS source code, Stewart is adamant that IP theft, and not exploits, is a bigger concern. "When it comes to exploits, people are going to take a box and try to exploit it, not look at the code and find a vulnerability. Customers want to align with a vendor that can deal with exploits when they are found."
That didn't prevent Cisco from launching legal action against one security researcher that publicised a big hole in IOS in July however.