informa
News

Errata Debuts Security Services

New services offer vulnerability reality-check - and exploits

Errata Security has officially rolled out its self-described security researcher-for-hire services, Dark Reading has learned. (See Startup to Take Measure of Security.)

The Atlanta-based security services firm, which was co-founded by Robert Graham, former chief scientist with ISS, and researcher David Maynor, formerly with SecureWorks, is offering two basic services -- a vulnerability analysis service called Hacker Eye View, and professional consulting and architecture review services.

Hacker Eye View for enterprises includes software product evaluations, vulnerability research and analysis, and working exploits developed by Errata for customers to use in their security testing. For vendors, the service includes security assessment and certification branding of their wares based on Errata's own hacking and testing of a vendor's product.

Errata's professional services offering is for enterprises and includes penetration testing and architecture reviews.

So far, the bulk of Errata's customers are enterprises, specifically large, multinational ones, says Errata CTO Maynor. "We can help them prioritize vulnerabilities and cut down on speculating if a vulnerability is serious or a priority." The idea is for Errata to serve as an outsourced research arm of the organization, either to fill or augment their research resources, he says.

Errata's Website also went live today.

Errata now officially joins a crowded market of different types of vulnerability assessment and penetration testing providers, which include Symantec, McAfee, and companies like White Hat Security. Maynor says Errata's differentiator is that it develops its own exploits that customers can use for testing. And its services can be customized for the CISO to the technical engineer who wants to run the exploit.

"I suspect [Errata will] wind up doing 60 to 70 percent or more of its business on the enterprise side," says Andrew Jaquith, senior analyst with The Yankee Group. He thinks a number of large software vendors will round out the rest of their business.

But not all enterprises will opt for receiving Errata's homegrown exploits. "This is a very controversial practice," Jaquith says. "There are going to be customers that want to have the working exploits so they can test their own defenses. But I think for most, that's a turnoff that looks like vigilante tactics of 'for money, we will give you weaponized proof-of-concept.'"

Maynor says enterprises will be able to cater their services to their requirements, and Errata is careful about who gets its exploits. "The access to that program is not wide open... We won't be selling a subscription to Russian [cybercriminals]."

Errata's Hacker Eye View vulnerability analysis service studies vulnerabilities and patches. "We are providing information to people on what is actually important -- if a company releases 500 patches, it may only be that there are two serious or critical ones that could infect your enterprise." A bug may not really be exploitable in a particular environment, or it could await the normal patching cycle, he says.

Interestingly, when Errata finds vulnerabilities in its own research, it will simultaneously alert enterprise subscribers and the vendors with the bugs. "If we discover a vulnerability in-house, we will inform the vendor and customers at the same time," Maynor says. That lets the customers react to the problem from the get-go, whether it's applying a patch or making their firewall rules more stringent, he notes.

Errata also offers a public research resource on its Website called Silicon Snake Oil, which educates readers on how to evaluate products for security purposes. "We are trying to teach people how to logically analyze vendor claims and to determine if they are real or not," Maynor says. Its first product audit analysis will be GuardID Systems' identity theft product, he says, and will alert the company of any bugs they find.

Pricing for Errata's services is on an individual basis. Errata issues PGP keys to customers who opt for the Hacker Eye View exploits.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Errata Security has now officially rolled out its self-described security researcher-for-hire services, Dark Reading has learned. (See Startup to Take Measure of Security.)

The Atlanta-based security services firm, which was co-founded by Robert Graham, former chief scientist with ISS, and renowned researcher David Maynor, formerly with SecureWorks, is offering two basic services -- a vulnerability analysis service called Hacker Eye View, and professional consulting and architecture review services.

Hacker Eye View for enterprises includes software product evaluations, vulnerability research and analysis, product evaluations, and working exploits developed by Errata for customers to use in their security testing. For vendors, the service includes security assessment and certification branding of their wares based on Errata's own hacking and testing of a vendor's product.

Errata's professional services offering is for enterprises and includes penetration testing, and architecture reviews.

So far, the bulk of Errata's customers are enterprises, specifically large, multi-national enterprises, says Errata CTO Maynor. "We can help them prioritize vulnerabilities and cut down on speculating if a vulnerability is serious or a priority," he says. The idea is for Errata to serve as an outsourced research arm of the organization, either to fill or augment their research resources, he says.

Errata's Website also went live today.

Errata officially joins a crowded yet mixed market of different types of vulnerability assessment and penetration testing providers, which include Symantec, McAfee, and companies like White Hat Security, says Andrew Jaquith, senior analyst with The Yankee Group.

But unlike other providers, Errata develops its own exploits its customers can use for testing, Maynor says. And Errata's services can be customzied for the CISO to the technical engineer who wants to run the exploit.

"I suspect [Errata will] wind up doing 60- to 70 percent or more of its business on the enterprise side," Jaquith says. "And a number of large software" vendors will round out the rest of their business, Jaquith says.

And not all enterprises will opt for receiving Errata's homegrown exploits. "This is a very controversial practice," Jaquith says. "There are going to be customers that want to have the working exploits so they can test their own defenses. But I think for most, that's a turnoff that looks like vigilante tactics of 'for money, we will give you weaponized proof-of-concepts.'"

Maynor says enterprises will be able to cater their services to their requirements, and Errata is careful about who gets its exploits. "The access to that program is not wide open…we won't be selling a subscription to Russian" cybercriminals, he says.

Errata's Hacker Eye View vulnerability analysis service studies vulnerabilities and patches. "We are providing information to people on what is actually important -- if a company releases 500 patches, it may only be that there are two serious or critical ones that could infect your enterprise," Errata's Maynor says. A bug may not really be exploitable in their environment, or can await the normal patching cycle, he says.

Interestingly, when Errata finds vulnerabilities in its own research, it will simultaneously alert enterprise subscribers and the vendors with the bugs. "If we discover a vulnerability in-house, we will inform the vendor and customers at the same time," Maynor says. That lets the customers react to the problem from the get-go, whether it's applying a patch or making their firewall rules more stringent, he notes.

Errata also offers a public research resource on its Website called Silicon Snake Oil, which educates readers on how to evaluate products for security purposes. "We are trying to teach people how to logically analyze vendor claims and to determine if they are real or not," he says. Its first product audit analysis will be Guard ID Systems' identity theft product, he says, and Errata will alert the company of any bugs they find.

Pricing for Errata's services is on an individual basis. Errata issues PGP keys to customers who opt for the Hacker Eye View exploits.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Errata Security

  • Recommended Reading: