Wednesday, September 16, 2009
Vulnerability Research Market
Jared DeMott just emailed me a great briefing from Pedram Amini discussing the 0-day software vulnerability market. Nice survey of the landscape, interesting findings, players, etc. You can find the briefing here: Adventures in buying vulnerabilities. He also gives some quantitative data describing vendor performance, number of bugs, etc.
On this topic, Charlie Miller wrote a nice paper on the economics of vulnerabilities that was published in 2007 here. The market has continued to change/mature since his paper. WabiSabiLabi went out of business (when their founder was arrested on separate charges!) and new players have entered/exited. Companies exist all over the US focused on this problem space. That motivated me to do a little survey and capture here who some of the players are, I haven't seen a great list in one place.
In the process of doing this survey I ran across some interesting papers that I'm also posting here. One is a nice short summary from a company focused on mobile handset/infrastructure vulnerability analysis summarizing some of the technologies/market from their perspective. Bruce Schneier and Marcus Ranum have an interesting debate on the general field of vulnerability research. There's a solid academic paper from a year earlier then Charlie's paper at WEIS someone just pointed me towards. They describe the market in 2006 and provide another perspective on some of the commercial players, some of the models/motivations for sellers and buyers.
Even Pedram's briefing and the below list are certainly not exhaustive, for every entry here there are a couple of people with a small firm or wedged in some large enterprise. I didn't include academic groups or individuals who have gathered acclaim, as I'm really following Pedram's line of thinking about the commercial market and wanted this post to take less then 2 hours (I've already failed!) I attempted to capture some of the major players companies in the American commercial and government contracting communities that have a stated presence/interest in the market. The interested reader should be able to recreate these findings (and probably expand them) by perusing the Blackhat/CansecWest briefings over the last 3 years, job postings, and permutations on Google searches that include "vulnerability research".
Some of the more interesting players in the purely commercial market include:
Tipping Point/DVLabs Sell intelligence/IDS data
IDefense, Sell intelligence/IDS data (see Pedram's briefing for other similar companies)
Vulnerability Research Labs (Couldn't get a logo due to Flash!) Sell intelligence/IDS data?
iSight Partners maintains their Global Vulnerability Partnership and sell vulnerability data to a pool of customers looking for threat intelligence.
Netragard maintains an active vulnerability acquisition program and claim to be the only IT services provider to do so.
Fortify (source code analysis)
Veracode (source/binary code analysis "in the cloud")
The ex-Idefense guys at Endgame Systems. Sell intelligence/IDS data
Immunity Security (and their third party vendors listed on their site). Sell penetration testing tool and perform contracted research
Core Security Sells a penetration testing tool. (Probably Immunity's main competitor).
Charlie Miller's company Independent Security Evaluators. Contracted vulnerability researchers.
Mark Dowd and company at IBM/ISS-Xforce, sell intelligence/IDS data
There are a number of government contractors out there too. They aren't as clear on their business model/portion of the market for vulnerability research usually, probably contracted testing to secure systems or provide advanced threat intelligence data.
SAIC (Kind of tricky as they are so fragmented.) Here's a great job description.
Harris Crucial Security (here's a job writeup)
SRA (check out a posting here)
Mantech (so many postings across the board I didn't bother)
Raytheon (I enjoyed their creatively named job postings)
Those are some companies that seem to have some critical mass and advertise their capabilities/products/personnel in this important area. Let me know if you think some companies are missing off this list by dropping me an email or posting back.