There's an unusual story in the July issue of FastCompany.com that lets us peek into the world and life of a zero-day trader, which, is actually a security researcher that develops 0days in his free time to found a new company security start-up.
The "concept" of selling zero-days is not new. Some might argue that there's a lot of benefit. Others will claim that it only plays to the hands of the bad guys, legitimizing some of their actions. At any rate, I believe that there is a consensus (IMO :-) within the community that the bad guys have changed their business model. It's not about the fun, fame or glory. They are after corporate assets, live credit card numbers and soon-to-be-victims' identities, not to mention the role of foreign governments and agencies.
The article describes several zero-day exploits in database systems and ERP applications. Scary. Along the years, Imperva's Application Defense Center (the ADC) discovered many vulnerabilities in various systems. Some were very critical and yet we are waiting for the vendors to patch all the vulnerabilities (as listed on our ADC's page, there are several more vulnerabilities that are waiting for the vendor's patches to be released).
So is there a good 0day?
I like to say that "there is always one more bug" and as long as code exists, someone will find a way to break it. Nothing should be considered immune and zero-days (without notifying the vendors that issue the remedy) in general should be considered bad as they expose a weakness without providing a protection.
Click on the picture to see the good and bad O'Day. From left to right: Aubrey O'Day, Hank O'Day, Tom O'Day
The "concept" of selling zero-days is not new. Some might argue that there's a lot of benefit. Others will claim that it only plays to the hands of the bad guys, legitimizing some of their actions. At any rate, I believe that there is a consensus (IMO :-) within the community that the bad guys have changed their business model. It's not about the fun, fame or glory. They are after corporate assets, live credit card numbers and soon-to-be-victims' identities, not to mention the role of foreign governments and agencies.
The article describes several zero-day exploits in database systems and ERP applications. Scary. Along the years, Imperva's Application Defense Center (the ADC) discovered many vulnerabilities in various systems. Some were very critical and yet we are waiting for the vendors to patch all the vulnerabilities (as listed on our ADC's page, there are several more vulnerabilities that are waiting for the vendor's patches to be released).
So is there a good 0day?
I like to say that "there is always one more bug" and as long as code exists, someone will find a way to break it. Nothing should be considered immune and zero-days (without notifying the vendors that issue the remedy) in general should be considered bad as they expose a weakness without providing a protection.
Click on the picture to see the good and bad O'Day. From left to right: Aubrey O'Day, Hank O'Day, Tom O'Day 
Leave a comment