Don't expect iDefense to change how it gathers intelligence on software security holes, a top executive said Friday. In fact, the only thing about the Reston, Va.-based firm that will cease to exist is its name.
"As of today, iDefense is now VeriSign," said Joseph Payne, who went from being iDefense's president and COO to VP of intelligence for
Mountain View, Calif.-based VeriSign Inc., which acquired the security intelligence firm for about $40 million in cash Thursday. "Will the iDefense programs remain in place? The answer is an unequivocal yes."
That includes the somewhat controversial Vulnerability Contributor Program (VCP), in which underground researchers are paid to supply information on new software vulnerabilities.
Critics of the program have argued that it's nearly impossible to verify the identity of hackers peddling their wares, especially if they want to remain anonymous. They've also argued that there's no way to control information once it's released to a third party. Program supporters have said that as threats grow grimmer, information on possible security holes must be brought to light so IT professionals can protect their networks -- even if it means the bad guys might make use of the intelligence as well.
As far as VeriSign is concerned, VCP isn't just worth keeping -- it's worth expanding. The company will announce plans to do just that at the Black Hat Briefings in Las Vegas July 27-28.
"People will have to wait until then for the details, but I can tell you VeriSign supports the program," Payne said. "They asked a lot of questions about it and they know it's one of the things that set iDefense apart from other firms. They understand that some of the world's best technical resources are helping us find vulnerabilities."
He also reiterated what iDefense has been saying since the program started in August 2002: that VCP has built-in controls to ensure the information it buys comes from reliable, legitimate sources and that it checks out contributors before accepting information. In most cases, VCP contributors are students, white and gray hat security enthusiasts and professionals. The firm has said it avoids dealing with black hats -- those who exploit vulnerabilities for malicious purposes. Payne said that will not change either.
VeriSign is best known as a domain registry for Internet addresses and as a provider of security and payment
processing services tailored specifically toward e-commerce. It also offers managed security services. The company said iDefense's research product portfolio -- which includes iAlert Daily Delivery and FLASH reports, weekly threat reports and focused Intelligence reports -- will help it improve all its security services.
"Network perimeters are expanding to include customers, partners and remote employees, so enterprises must leverage the most advanced security intelligence to protect customer data and corporate assets," Judy Lin, executive vice president and general manager of VeriSign Security Services, said in a statement. "The acquisition of iDefense expands the VeriSign suite of managed security services, providing customers with additional capabilities with which to proactively protect their networks from vulnerabilities and attacks."
Specifically, VeriSign said the addition of iDefense "will augment the comprehensive VeriSign Managed Security Services (MSS) offering and represents an expansion of the company's ability to monitor and assess security threats in real time." VeriSign said it will retain the iDefense employee base and iDefense will assume the VeriSign name, continuing to market the iDefense suite of intelligence services.
The acquisition has been approved by the boards of directors of both companies, VeriSign said. Revenue and earnings contribution from the acquisition will not be material to the company's 2005 financial results.