Monday, December 12, 2005

0bay - how realistic is the market for security vulnerabilities?

In Issue 19 (July, 2005) of the Astalavista Security Newsletter that I release on a monthly basis, I wrote an article entitled "Security Researchers and your organization caught in between?" whose aim was to highlight a growing trend, namely the monetization of vulnerability research, who benefits and who doesn't.

A recent, rather significant event at least for me covering and monitoring this issue for quite some time now, was an Ebay listing for a "brand new Microsoft Excel vulnerability". A bit ironical, but I had a chat with Dave Endler, director of security research at TippingPoint, and the issue of their future position as bidders for someone else's research were discussed a week before the Ebay's listing in Issue 23 (November, 2005) of Astalavista's Security Newsletter.

Two of today's most popular, and at least public commercial entities paying hard cash for security vulnerabilities are : iDefense, and the ZeroDayInitiative (TippingPoint).

But what is the need for creating such a market? Who wins and who loses? What are the future global implications for this trends, originally started by iDefense?

In any market, there are sellers and buyers, that's the foundation of trade besides the actual exchange of goods/services and the associated transaction. What happens when buyers increase, is that sellers tend to increase as well, and, of course, exactly the opposite. Going further, every economy, has its black/underground or call it whatever you want variation. And while some will argue a respected researcher will contribute to the the development of even more botnets, who says it has to be respected to come with a vulnerability worth purchasing?! It's a Metasploit world, isn't it?!

Going back to the market's potential. Sellers get smarter, transparency is build given more buyers join seeking to achieve their objectives in this case, provide proactive protection to their clients only, and build an outstanding, hopefully loyal researchers' database. These firms, to which I refer as buyers have happened to envision the fact that there are thousands of skilled vulnerability researchers', who are amazingly capable, but aren't getting a penny out of releasing their vulnerabilities research. Ego is longer important, and getting $ for research on a free will basis is a proven capitalistic approach. What these companies(and I bet many more vendors will open themselves for such a service) didn't take into consideration in my opinion, is that, starting to work with people giving $ as the ultimate incentive will prove tricky in the long-term.

What will happen of the Swiss cheese of software(yet the one that dominates 95% of the OS market today) Microsoft starts bidding for security vulnerabilities in its products? Bankruptcy is not an option, while I doubt they will ever take this into consideration, mainly because it would seriously damage a market sector, the information security one. Imagine, just for a sec. that Microsoft decides to seriously deal with all its vulnerabilities? But today's lack of accountability for software vendors' actions related to vulnerabilities is making it even worse. If MS doesn't get sued for not releasing a patch in any time frame given, why should we, the small compared to MS vendor care?

Howard Schmidt, former White House cybersecurity adviser, once proposed that programmers should be held responsible for releasing vulnerable code. I partly agree with him, you cannot cut costs in order to meet product/marketing deadlines while hiring low skilled programmers who do not take security into consideration, which opens another complex discussion on what should a developer focus on these days - efficiency or security, and where's the trade-off?

I originally commented on this event back then :
The position of Schmidt prompts him to address critical issues and look for very strategic solutions which may not be favored by the majority of the industry as I’m reading through various news comments and blogs. I personally think, he has managed to realize the importance of making a distinction in how to tackle the vulnerabilities problem,who’s involved, and who can be influenced, where the ultimate goal is to achieve less vulnerable and poorly coded software. Software vendors seek profitability, or might actually be in the survival stage of their existence, and as obvious as it may seem, they facts huge costs, and extremely capable coders or employees tend to know their price! 

What’s the mention are the tech industry’s “supposed to be” benchmarks for vulnerabilities management, picture an enterprise with the “IE is the swiss cheese in the software world in terms of vulnerabilities, and yet no one is suing Microsoft over delayed patches” – lack of any incentives, besides moral ones, in case there’re clear signs and knowledge that efficiency is not balanced with security. And that’s still a bit of a gray area in the development world.

Vulnerabilities simply cannot exist, and perhaps the biggest trade-off we should also face is the enormous growth of interactive applications, innovation approaches for disseminating information, with speeds far outpacing the level of attention security gets. Eventually, we all benefit out of it, web application vulnerabilities scanners and consultants get rich, perhaps the (ISC)² should take this into consideration as well :-)

Even though you could still do the following :
- build awareness towards common certifications addressing the issue
- ensure your coders understand the trade-offs between efficiency and security and are able to apply certain marginal thinking, whereas still meet their objectives
- as far as accountability is concerned, do code auditing with security in mind and try figure out who are those that really don’t have a clue about security, train them
- constantly work on improving your patch release practices, or fight the problem from another point of view

But unless, coders, and software vendors aren’t given incentives, or obliged under regulations (that would ultimately result in lack of innovation, or at least a definite slow down), you would again have to live with uncertainly, and outsource the threats posed by this issue. M icrosoft’s “Improving Web Application Security: Threats and Countermeasures” book, still provides a very relevant information.

Slashdot’s discussion

What also bothers me, is how is the virginity of the vulnerability identified? I mean, what if I have already found it, developed an exploit for it, sold it to the underground, and cashed with the industry as well, and no one came across it on his/her :) honeyfarm? The researcher's reputation is a benchmark, but in the long-term, the competitive market that's about to appear, will force the buyers to start working on a mass basis. There's a definitely a lot to happen!

Welcome to the wonderful world of purchasing 0-day security vulnerabilities! Have an enemy, bid for his ownage, have a competitor, own them without having to attract unnecessary attention, I'm just kiddin' of course, although the possibilities are disturbing.

What I really liked about this important moment in vulnerability research, was that it was about time the security researchers wanted to see how valued their research is in terms of the only currency that matters in the process - the hard one. In my point of view, monetizing the vulnerabilities research market wasn't the best strategic approach on fighting 0-day vulnerabilities, in this case, ensure you have the most impressive minds on your side, and that your clients get hold of the latest vulnerabilities before the public does.

So - who's the winner - it's...Symantec who first realized the long-term importance of security vulnerabilities, and where, both researchers and actual vulnerabilities are - Bugtraq/SecurityFocus, by acquiring it for US$75 million in cash, back in 2002, and later one integrating its joys into the DeepSight Analyzer - remarkable. Both from a strategic point of view, and mainly because that, by the time any post on any of the associated mailing lists doesn't get approved, it's Symantec's staff having first look at what's to come for the day of everyone.

SecurityFocus is running a story about the Ebay vulnerability listing, and so is eWeek, Slashdot also picked up the story. It was about time for everyone, given it actually happened during the weekend :-)

Technorati tags :