Has anyone modelled in economics terms why disclosure is better than the alternate(s) ?
Posted by Iang at January 26, 2005 6:11 PMTo evaluate economics at the point of disclosure is too late because by then it is out of our collective hands - that's the whole problem to begin with, that we can't control the process at that point. Discovery is where we should be placing more emphasis. See http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html for more info.
Here is a model for you: (LOCe (existing lines of code) + LOCd (new lines of code created daily)) x Vulnerability Density (5 per 1000 LOC? .1 per KLOC? doesn't really matter) is much, much larger than the avg 10 vulns per day we are finding, and the gap is widening. Discovered vulnerabilities are "comfort food" and distracting if we honestly believe that the true threats are zero-day attacks (exploits against discovered vulns that no good guys know about).
Posted by Pete at January 26, 2005 7:48 PMPete, your point is a good one, but lets go back all the way to creation, rather than discovery. Vuln density in new code is managable. The tools are not yet mature, but they're improving. I should also mention that Eric Rescorla has done good work on the question of 'Is Finding Vulns a Good Idea?' He answers no, but I think the tools available to us to block disclosure are worse than the disease.
I'll post more tomorrow on the econmics of disclosure, qua disclosure.
Posted by adam at January 26, 2005 11:32 PMI am all for reducing the creation of vulns. The risk, of course, is that you never know whether you've found them all. I would love for folks to begin using parallel QA teams of fault injection to estimate defects, but I am not sure that is likely to happen.
Yes, Eric's approach is pretty neat - basically he looks for a downward trend in the number of vulnerabilities found for an application.
Not sure what you mean by "blocking disclosure". My initial reaction is that I didn't do a good job distinguishing between discovery and disclosure. (I am not really looking to block disclosure once the vuln is discovered, just to make it much less attractive to go looking in the first place.)
> "The risk, of course, is that you never know whether you've found them all."
Shoot, that one's easy. You haven't found them all. But have you hit a point of diminishing returns for the fully loaded costs of future support?
> "Not sure what you mean by "blocking disclosure". "
Laws like DMCA and UTICA.