Browsing through my collection of papers & presentations and ran across these:

The IPO of 0day by Justine Aitel and 0day – How hacking really works by Dave Aitel

They’re both quite old (the latter is 3 years old), but relevant.

Reading them brings the interesting observation that the product space simply can’t address the 0day threat. You really need to hire a hacker or hire a pentesting team if you’re concerned about addressing the possibility. Did your last pentest address the threat??

Justine brings up the fact that there are 3 types of pentesters (and if you hire the lower tier, you might as well do the work yourself, heh):

• Top tier: Can find / exploit 0day.
• Middle tier: Can utilize tools that exploit 0day.
• Bottom tier: Run a scanner.

Many companies I’ve worked with don’t even consider 0day as a threat. (In fact, i’m trying to think of a single one…) Maybe it’s viewed as a too remote a possibility, maybe it’s not considered relevant for the typical organization, or maybe it’s just too damn difficult to protect against.

Should you? I’m not convinced that every company needs to. But who does? Surely financial organizations, banks, insurance companies, government institutions. Who else? Anyone running financial transactions over custom (probably old / lightly maintained) software…

Is it valid to consider as a real threat? How much time / money should be invested to mitigate the risk?