We all know it happens, but it is rarely exposed as clearly as Adam Pennenberg did in his article for Fast Company, The Black Market Code Industry. It turns out that this 0day seller was an HP employee:

According to the consultant who snared Marester, his quarry's skills appear quite sophisticated. His wares, if they performed as advertised, could help a hacker take down machines running that particular software anywhere in the world. His real name is Steve Rigano; he's a self-employed network consultant from Grenoble, France, who works full time at HP, where he is listed in the switchboard and maintains an hp.com email address. He told me that he saw nothing wrong with offering tools and techniques that targeted the company providing his paycheck.

A self-taught hacker, Rigano says he discovered the vulnerabilities and coded the exploits on his own time, which he says is none of HP's business. "I have the right to sell what I want," he says. He told me he attracted mostly Chinese and Russian buyers, but claimed he never found takers for the HP or SAP "vulns" and exploits. He said he stopped selling black-market code in January but didn't explain why.

Most security companies I have been acquainted with frown on this type of activity, as I am sure HP has. It's hard for them to sell security products and services when their employees are selling the very tools the company is purportedly defending against.

[Update 7/7/2008: The information in the Fast Company article is being disputed by Steve Rigano. He has notified us that he has taken legal action against Adam Pennenberg and Fast Company.]


FREE Security Tutorials from Veracode

Flash Security
SQL Injection Attack
Cyber Security
Mobile Phone Security
CRLF Injection

Veracode Security Solutions

Binary Analysis
Application Testing Tool
Software Security

Veracode Data Security Resources

Data Loss
Data Security
Data Breach

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (1)

joedoe | September 22, 2008 12:01 pm

Look at comments of the linked article.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.