Many industries tend to run in identifiable cycles. Financial services, the auto industry, entertainment–they all have cycles. Because the security industry isn’t nearly as old as any of these, it hasn’t had much of a chance to establish such cycles. But one seems to be appearing now in the form of renewed criticism and distaste for offensive security research.
The most recent cycle has been building momentum for some time now, but the jumping off point may have come last month in a talk by Adobe security and privacy chief Brad Arkin. The gist of the talk was that defenders need to focus their energy on making exploitation and attacks more expensive for the bad guys. However that happens–whether it’s through the addition of exploit mitigation technologies, deploying sandboxes or any number of other techniques–raising the cost of attacks should be the priority.
“I would say to the researchers here, work on defense. This is where you’re going to make a difference,” Arkin said. “If you come up with a new offensive technology, the bad guys will use it.”
That’s in contrast to the mentality that has prevailed among many software companies and security professionals, who often focus on finding and fixing as many security vulnerabilities as possible. The more bugs you fix, the fewer there are for the attackers to exploit, after all.
That’s true, of course, but it ignores the fact that the number of total bugs is unknowable and constantly changing. And, it also ignores the fact that many attackers don’t ever bother with zero days; there’s no need. There are so many older vulnerabilities that are lying unpatched on millions and millions of machines out there that it’s a waste of time and money for attackers to look for new ones to exploit.
“Financially motivated attackers don’t invest in original research. It’s too expensive these days,” Arkin said. “It’s pen testers or it’s nation states or the people funded by them. That research is done by professional bad guys who have financial horizons that far exceed those of financially motivated bad guys.”
At last week’s RSA Conference there were more murmurs about the relative value of offensive security research, too. The ongoing debate about the sale of bugs–whether it’s on the black market, the grey area of government sales or to legitimate entities such as the Zero Day Initiative–includes some in the security community who are of the mind that selling vulnerabilities is an inherently shady activity. That discussion came up many times over the course of the week, with a predictable lack of agreement on the subject.
The problem, opponents of bug sales say, is that regardless of who you sell the bug to, you have no way of knowing against whom that vulnerability might ultimately be used. Some researchers say that’s not their problem; they do the research and make the sale and what happens after that is up to the buyer and out of their hands.
With the Pwn2Own contest at CanSecWest scheduled for later this week, the conversation will likely not just continue, but amp up. Offense is at the fore at CanSecWest, not just during Pwn2Own, but during the conference talks, as well, and rare is the year that a major bug or exploitation technique isn’t revealed there.
This is not the first time this carousel has spun round this way. Ten or fifteen years ago, as legitimate security research was making its way into the mainstream, many vendors had reactions bordering on anaphylactic shock when a researcher reported a bug to them or went public with it after a lack of response. Large software companies, including Microsoft and Oracle, would in some cases refuse to deal with researchers at all or slow the process down to such a point that it was impossible for the researchers to know whether the bug would ever be fixed.
That led to the brain-melting disclosure debate, which has never gone away, and it also led to the establishment of formal security response programs and organizations at many companies. Later, it helped spur the bug bounty programs run by companies such as Google, Mozilla and others, to reward security researchers who chose to report their findings to the vendors privately.
So, as often happens, what was old is now new again. But this time it has the added spice of cyberwar hysteria, with legions of highly trained foreign attackers using zero days stolen from some secret NSA database. Maybe that’s happening. Who knows? But what’s definitely happening is that researchers are selling bugs to a variety of people and organizations, some legitimate and others not. And as long as serious bugs can command six figures, that’s never going to end and neither will offensive security research.