At the recent SyScan Conference in Singapore, Immunity Inc.'s CEO Justine Aitel gave a presentation with surprising statistics on so-called zero-day (0-day) exploits. That's the name given to security flaws in software that are discovered by "hackers" but not reported to anyone who can or will patch them.

Immunity has found that the average 0-day exploit survives for 348 days before it is discovered and patched, less than a month short of an entire year. One 0-day exploit went unaddressed for over three years, while the quickest discovery and patching was completed in 99 days.

Perhaps the most disturbing aspect of Aitel's presentation was her observation that 0-day exploits are increasingly focused at the financial sector, including stock trading and analysis systems. Such systems are rife with 0-day exploits, Aitel says.

The hackers who find the exploits are eager to sell them to the highest bidder, and Immunity buys and studies such exploits but does not publicly reveal them. The company's experience watching the life cycle of 0-day exploits leads Altel to believe that too many companies are relying on public information channels to learn of new exploits when they should be hiring hackers to find them first. The time between exploit and patch is dangerously long.

0-day exploits are both extremely dangerous and extremely difficult to find, which means that most companies haven't been aggressive about searching their own systems for possible 0-day exploits. Instead, IT shops rely on notifications from developers and vendors about flaws, but Immunity's data suggests that you might be waking up to reality almost a year too late, and in the meantime, you may have suffered serious security compromises.

At the same time, protecting yourself from exploits isn't just a matter of checking all your locks. Senior executives have to be brought in and informed of what's going on, as IT departments need to be cautious about reverse engineering that could land them in trouble with the DMCA or the common licensing prohibitions against hacking. Businesses should be working with software vendors to make sure that their agreements allow for unfettered security testing, Aitel says.

Interestingly, Aitel has another set of recommendations that CEOs and CIOs may not be expecting: coddle and nurture your own hackers as employees. Aitel says that making hackers feel safe and comfortable is the best way to get production out of them, so open up your network to IRC ("they need IRC like a fish needs water"), forget about a dress code, and try to extol the benefits of working normal daylight hours. Having hackers in house will save money in the long run, because the costs that stem from an outside intrusion are both extremely high and unable to protect you from the next incursion. As such, preventative hacking is the way to go.

According to Aitel, the search for 0-day exploits is popular not only among "hackers" but also university computer science departments who are in it for both the fame and the intellectual stimulation. The growing market in 0-day exploits doesn't hurt either, as more and more hackers are looking for compensation for their time and efforts. A new auction site for exploits claims that compensating hackers fairly for their efforts is the only way to keep such exploits out of the hands of criminals.

You can view Aitel's presentation online in PDF form.