NSS Labs has a plan to secure the Internet: Build a Nasdaq for hackers.
Security researchers will be able to upload hacking techniques, name their price and sell work that until now has been profitable only through the cybercriminals.
Rick Moy doesn’t like to watch an unfair fight. As he sees it, malicious hackers can break into corporate and government networks using a single software vulnerability, while the good guys must painstakingly check and patch every one of thousands of potentially hackable holes in their systems.
Security auditors often use mock attacks, known as penetration tests, to find those weak points. But testing every flaw in a target’s network would require writing thousands of “exploits”–the programs used to hack into vulnerable systems. The intruder, meanwhile, need write only one.
So Moy, the 42-year-old president of NSS Labs, wants to let the laws of supply and demand even the odds. In October his research firm plans to launch an online platform that will allow researchers and penetration testers to buy and sell hacking exploits on an open marketplace known as Exploit Hub. Security researchers will be able to upload hacking techniques, name their price and sell work that until now has been profitable only through the cybercriminal black market. And security auditors will be able to download those hacks en masse to perform tests that suss out vulnerabilities in every cranny in their network.
“This is like the iPhone App Store for exploits,” says Moy. “This is how we can leverage the work of all these disparate researchers and also let them get paid for it.”
The tricky part: keeping Exploit Hub from becoming a convenient resource for breaking into the systems it’s meant to protect. Moy says NSS will carefully screen customers to sell only to known companies and agencies, and will use encryption keys to make sure it’s not selling to impostors. Just as important, the platform will host exploits only for known vulnerabilities, not so-called zero day exploits–new attacks for which software companies haven’t yet issued fixes. Moy’s goal, after all, is to help companies find fixable flaws, not demonstrate a blitz they’re powerless to defend against. “Zero days aren’t a controversy that we need,” he says.
NSS won’t be the first to try selling an array of digital weapons to penetration testers. But the largest collections currently available from Core Security Technologies, Immunity and an open source project known as Metasploit include exploits for less than 10% of the 14,000 security flaws publicly revealed in information technology systems over the last five years.
Moy thinks that a charge-what-you-want market model will motivate benevolent hackers to create a full-fledged hacking arsenal and–if companies buy those exploits in volume–give researchers a significant new revenue stream. NSS will keep 30% of the sales and, in return, do the research necessary to guarantee buyers that the brokered code will work, while assuring sellers that they’re not offering hacking tools to cybercriminals or foreign governments.
That’s a deal that works for Mario Ceballos, an exploit writer and penetration tester for Northrop Grumman ( NOC – news – people )’s security team. “If they do it right this gives guys in my position a venue to put our stuff out there and make some money,” he says.
Security flaws that already have available patches may not seem like a serious problem. But the labyrinthine nature of it setups and companies’ lax attitudes toward security mean old flaws often go unfixed. A study by security firm Qualys last year found that for some common software like Adobe ( ADBE – news – people ) Flash and Oracle’s Java, half of users still hadn’t implemented patches three months after they were released. That’s often because software updates require costly downtime to install and can create unpredictable errors.
Even skeptics of Moy’s plan, like Marcus Ranum, chief technology officer at Tenable Security, agree that more comprehensive penetration tests may be the only way to show companies how badly they need to revamp their security. “I’ve seen it managers say that they don’t believe in attacks until you demonstrate them,” he says. “In general I don’t really approve of the idea of selling exploits. But it makes sense in the context of the entire industry’s stupidity.”