Improved software development practices and an expansion of the secondary market for zero-day vulnerabilities have led to a reduction in submissions to Hewlett Packard's TippingPoint Zero-Day Initiative in 2012, according to the program's manager. The ZDI program had published 187 advisories for publicly disclosed vulnerabilities in 2012 as of December 4, down from more than 350 in 2011, according to SearchSecurity.com.
"As software development becomes more mature, submissions go down a little bit, but we're still focusing on critical software," Brian Gorenc, manager of TippingPoint DVLabs at HP, told SearchSecurity.com. "These vulnerabilities can cause widespread damage and our focus is to get them fixed."
The ZDI program serves as a sort of middleman between researchers and software companies, purchasing software security vulnerabilities for sums of up to $5,000 and working with vendors to ensure the flaws are fixed. While improved software development practices such as the use of source code analysis are helping to reduce submissions, researchers are looking for potential attack vectors that take advantage of newer technologies and platforms.
The majority of the flaws submitted are for web applications, but mobile vulnerability submissions are likely to rise in 2013, according to Gorenc. He noted that submissions may also increase for attacks intended to bypass security mitigations such as data execution prevention (DEP) and address space layout randomization (ASLR) methods.
New markets for vulnerabilities
Submissions are also becoming less common because of the growing number of alternatives for researchers to submit vulnerabilities. Organizations such as Google, Facebook, Mozilla and PayPal have created bug bounty programs of their own, reducing reliance on the ZDI program as a central clearinghouse. However, there has also been a growth in vulnerability and exploit sales that bypass traditional responsible disclosure standards in favor of the potential financial rewards of the open market.
Dark Reading reported that the vulnerability market has become more complex, as private companies have joined black hat hackers and white hat researchers in a gray-market practice of selling vulnerability information to enterprises and governments. For these businesses, their refusal to disclose exploit information has become a point of contention with some major software vendors.
"When you look at the motivations for the people in the black market, they want to keep vulnerabilities unpatched, right?" Gorenc told Dark Reading. "Same for the gray market when they're selling information about zero days there. Once those zero days are patched, that information's not as valuable as it was when it was unpatched."
Further complicating the marketplace is the fact that black- and gray-market vulnerabilities are often later resold to legitimate bug bounty programs such as ZDI, Dark Reading noted. Some see the entire existence of the secondary market as unethical. Sophos senior security advisor Chester Wisniewski told SearchSecurity.com that researchers deserve to get paid for their work, but that they should do so through legitimate channels.
"It's important as a software vendor to get treated fairly under clear rules," he said.
For organizations hoping to improve software security, one method of preventing vulnerability sales is to strengthen the development process. By using techniques such as source code analysis, companies may be able to mitigate the risk of having an exploit reach the open market.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.