Martin Bos (@purehate_) asked an intriguing question over twitter the other day. Should 0day exploits be used in "standard" penteration tests. Some rightly asked to define what a "standard" pentest truly is, since scope could literally be anything you can think of. Josh Abrams (@jabra) responded with what is probably the best answer with "0day usage should match the maturity of the target." Beautifully stated.
But the discussion got my gears turning. Josh Corman (@joshcorman) blogged back in November 2011 about the concept of HDMoore's Law (http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/). It's a great read and I feel very pertinent and accurate. The original Moore's law roughly states, depending on who you hear it from, that technology (i.e. the number of inexpensive tranistors that can be put onto a circuit) doubles every two years.
When you look at the IT industry as a whole, this law partially explains many business related bell curves - advanced technology has the innovators, early adopters, early majority, late majority and laggards. Everything eventually becomes commoditized. Relying on a particular technology or skillset that your organization may possess advanced skills in to keep a competitive edge over your competition over time is a losing battle. Skillsets are learned. Technology advances and improves. Competition eventually catches up. In order to remain ahead of the pack organizations must continually find the next advanced technology to specialize in.
Corman's point with the HDMoore's law concept is that the advancement of the metasploit framework is lowering the cost of admission in winning and performing successful "standard" pentests. Business histories and frameworks dictate that that the advanced technology of penetration testing will eventually become commoditized. Pentest geeks can stop your whining now, we all know you are talented and always searching for new, improved and advanced methods of testing. That's not the argument. Cutting edge is still cutting edge. But once pentesting tools advance to the point that those of us who are neither exploit hunting hobbyists nor being paid to discover 0day vulnerabilities can compete with specialists and win engagements with the majority of non-"mature" clients, could the differentiating factor result in today's hardcore pentesting community to actively pursue the acquisition of previously unknown 0day exploits?
Supply and demand. Could Whitehat(ish) practitioners eventually significantly contribute to Blackhat revenue, GP margin and Operating margin just to stay ahead of the closing pack of mediocre pentesters using advanced pentesting tools? Thereby funding the work of the evil hackers?
Martin made a good point on an unrelated thread about hey, you make a neat argument but please back that up with a recommeded solution. There is no "solution" in this case (sorry, Martin). This is simple business modeling and evolution and you need to adapt accordingly. One path in that adaptation may lead to this particular scenario.
