Lets start making solutions!

26 Sep 2010

NSS Labs is the latest group of tool bags to announce a store for buying exploits. Pen testing via these means doesn't solve problems, it just proves to people that there are problems with their software, which can be proven just as easily I think by showing someone the current version of their software and showing the vulnerabilities that exist with that version vs the latest version. Yeah my solution means you can't walk in with a leather trench coat and some jynx hackerwear schwag and pretend to be cool by running someone else's exploits, but it solves problems a lot faster. How about instead of selling exploits, you sell patches? Maybe that's not very useful because the person can just update their software, but I'm guessing there are cases where you'd rather just flip some bits in the exe's instead of upgrading, which would require you to shell out a bunch of money for new software or reboot or worry about a whole bunch of new features the latest version has. If you can write exploits, you can write hot patches (in memory patches) and on on-disk patches. In fact, it's easier to do those things! Security companies need to sell those, solve problems, and stop being douche bags.

Now, pen testing does have it's place. Identifying open ports and other configuration problems is important, but do you really need to actually get execution on the box to prove anything? Yeah, you could get execution there, then leverage that to get execution elsewhere, to show that it can be done, but is that all necessary? The amount of time it takes to write a good exploit would be better spent finding other vulnerabilities.

Finally, NSS is just stupid for restricting themselves to only dealing with known customers and and only dealing exploits for known vulnerabilities. NSS is immediately at a competitive disadvantage. Customers of exploits aren't going to get all the exploits they could, and developers/sellers of exploits aren't going to get the best prices if their customer base is reduced. So people aren't going to want to sell to NSS or buy from them. The only value in this business strategy is the free advertising they are getting. I had never heard of them previously.