Secunia launches pay-as-you-go exploit shop

The new Binary Analysis Service is billed as a one-stop-shop for indepth analysis of the "worst and most interesting vulnerabilities" affecting widely deployed software products.   It will include exploits and proof-of-concepts for verification purposes and is available only for "certain types of vendors and governments."

Secunia CTO Thomas Kristensen said the service is strictly "defensive in nature" with a goal to provide reliable intelligence for security vendors -- especially anti-virus and IDS/IPS companies that rely on flaw data to create rules and signatures.   It is also being marketed to corporate and national entities that have the technical capacity to create custom rules in-house for their IDS/IPS products.

[ SEE: Microsoft makes daring vulnerability sharing move ]

The company says it will strictly monitor access to the new service.

All the security vendors and other companies, who are approved, will get access to buy the Binary Analyses on a "pay as you go" basis or as an annual subscription, which gives unlimited access to the historical analyses and approximately 200 new analyses per year.

The company has already released free sample analyses with information on serious security vulnerabilities in Microsoft GDI+, Microsoft Word, Microsoft Windows OLE automation, Samba and Adobe Flash.

During the past 2 years we have serviced a few selected AV and IDS/IPS vendors with this intelligence, however, we have also realized that far too many of the other AV and IDS / IPS vendors -- including the major ones -- fail to detect many attacks utilising critical vulnerabilities simply because they too often create payload based signatures rather than vulnerability based signatures, Kristensen said.[ SEE: Secunia: 28% of all installed apps are insecure ]

The Secunia move follows news from Microsoft that it will start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday.  The new Microsoft Active Protections Program (MAPP), which launches in October, will give anti-virus, intrusion prevention/detection and corporate network security vendors a headstart to add signatures and filters to protect against Microsoft software vulnerabilities.

The idea is to provide detection guidance ahead of time to help security vendors reproduce the vulnerabilities being patched and ship signatures and detection capabilities without false positives.

Some criteria for participants in MAPP include:

• Members must offer commercial protection features to Microsoft customers against network- or host-based attacks.
• Members must provide protection features to a large number of customers.
• Members may not sell attack-oriented tools.
• Protection features provided by members must detect, deter or defer attacks.

* Image sources:  Secunia and HorseHats.com.