Small security firm puts spotlight on big vendor bugs

Research company says it has discovered 67 undisclosed vulnerabilities in major vendors' software

"I was amazed by the film and wanted to go into technology," Litchfield said. After leaving university, Litchfield said he bought a technical study guide in a bookstore, "learned it by heart," and took a test to become a Certified Novell Administrator. In 1997 he got his first job in IT.

Within a couple of years, he found himself working on security and decided to go into business with his older brother Mark, now 30, who shares his enthusiasm for technology. They launched Cerberus Information Security Ltd. in 1999 and in 2000 it was bought by U.S. security company @stake Inc.

In 2001 the brothers formed NGS Software and soon brought another Litchfield into the mix: Dave Litchfield Sr., who took over management of the company's finances after retiring from the Royal Marines.

Now the Litchfield triumvirate, together with the other members of the NGS Software team, seem to have hit their stride.

The company has been contracted by Microsoft Corp. to help deliver the much-anticipated Windows XP Service Pack 2 software security update, due out this month. NGS performs most of its bug hunting for free, to bolster its reputation, in addition to selling its own security software.

It has also recently been tapped to give advanced notification of vulnerability information to the U.K.'s National Infrastructure Security Co-ordination Centre (NISCC), and for some time shared information with the U.S.'s infrastructure protection authorities.

The company is quickly growing, from a staff of around 10 last year to 26 currently, and more openings are posted on the company's Web site. In its expansion, NGS has brought some more young and bright researchers onboard, Litchfield said, like 17-year-old Peter Winter-Smith who has discovered a number of the currently undisclosed vulnerabilities touted by the firm, and 24-year-old John Heasman.

"He's scarily intelligent," Litchfield said of Heasman.

NGS, like other companies in its industry, has gained momentum at a time when software vendors and technology providers are coming under increased pressure to shore up their security against a growing wave of threats.

Attacks have not only become more frequent in recent years, they have become more sophisticated as hackers become better schooled in how to exploit holes.

In the game of cat and mouse between vendors and hackers, security researchers occupy a strange space between ally and foe. For vendors, they can both reveal and protect against security holes; for hackers, they can identify targets, as well as conceal them.

But Litchfield sees NGS as ultimately being on the side of software users, trying to make their systems more secure.

"It's getting harder to find bugs so that means we are doing our job," Litchfield said. He added that with the recent Oracle incident aside, "most vendors are fairly speedy and deliver patches to customers when they have them ready."

Although having fewer bugs is their ultimate goal, finding them is still the fun part of the job, Litchfield concedes.

When asked how many undisclosed vulnerabilities NGS had currently uncovered, Litchfield said "97." Then a pause."What was that, Mark? 98! He just found another one," he said.