http://emergentchaos.com/archives/2005/01/i-am-so-a-dinosaur.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2005/01/i-am-so-a-dinosaur.html/comment-page-1#comment-315 adam Thu, 27 Jan 2005 23:41:00 +0000 http://emergentchaos.com/?p=413#comment-315 > "The risk, of course, is that you never know whether you've found them all." Shoot, that one's easy. You haven't found them all. But have you hit a point of diminishing returns for the fully loaded costs of future support? > "Not sure what you mean by "blocking disclosure". " Laws like DMCA and UTICA. > “The risk, of course, is that you never know whether you’ve found them all.”
Shoot, that one’s easy. You haven’t found them all. But have you hit a point of diminishing returns for the fully loaded costs of future support?
> “Not sure what you mean by “blocking disclosure”. ”
Laws like DMCA and UTICA.

]]> http://emergentchaos.com/archives/2005/01/i-am-so-a-dinosaur.html/comment-page-1#comment-314 Pete Thu, 27 Jan 2005 23:36:59 +0000 http://emergentchaos.com/?p=413#comment-314 I am all for reducing the creation of vulns. The risk, of course, is that you never know whether you've found them all. I would love for folks to begin using parallel QA teams of fault injection to estimate defects, but I am not sure that is likely to happen. Yes, Eric's approach is pretty neat - basically he looks for a downward trend in the number of vulnerabilities found for an application. Not sure what you mean by "blocking disclosure". My initial reaction is that I didn't do a good job distinguishing between discovery and disclosure. (I am not really looking to block disclosure once the vuln is discovered, just to make it much less attractive to go looking in the first place.) I am all for reducing the creation of vulns. The risk, of course, is that you never know whether you’ve found them all. I would love for folks to begin using parallel QA teams of fault injection to estimate defects, but I am not sure that is likely to happen.
Yes, Eric’s approach is pretty neat – basically he looks for a downward trend in the number of vulnerabilities found for an application.
Not sure what you mean by “blocking disclosure”. My initial reaction is that I didn’t do a good job distinguishing between discovery and disclosure. (I am not really looking to block disclosure once the vuln is discovered, just to make it much less attractive to go looking in the first place.)

]]> http://emergentchaos.com/archives/2005/01/i-am-so-a-dinosaur.html/comment-page-1#comment-313 adam Wed, 26 Jan 2005 23:32:32 +0000 http://emergentchaos.com/?p=413#comment-313 Pete, your point is a good one, but lets go back all the way to creation, rather than discovery. Vuln density in new code is managable. The tools are not yet mature, but they're improving. I should also mention that Eric Rescorla has done good work on the question of 'Is Finding Vulns a Good Idea?' He answers no, but I think the tools available to us to block disclosure are worse than the disease. I'll post more tomorrow on the econmics of disclosure, qua disclosure. Pete, your point is a good one, but lets go back all the way to creation, rather than discovery. Vuln density in new code is managable. The tools are not yet mature, but they’re improving. I should also mention that Eric Rescorla has done good work on the question of ‘Is Finding Vulns a Good Idea?’ He answers no, but I think the tools available to us to block disclosure are worse than the disease.
I’ll post more tomorrow on the econmics of disclosure, qua disclosure.

]]> http://emergentchaos.com/archives/2005/01/i-am-so-a-dinosaur.html/comment-page-1#comment-312 Pete Wed, 26 Jan 2005 19:48:56 +0000 http://emergentchaos.com/?p=413#comment-312 To evaluate economics at the point of disclosure is too late because by then it is out of our collective hands - that's the whole problem to begin with, that we can't control the process at that point. Discovery is where we should be placing more emphasis. See <a href="http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html" rel="nofollow">http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html</a> for more info. Here is a model for you: (LOCe (existing lines of code) + LOCd (new lines of code created daily)) x Vulnerability Density (5 per 1000 LOC? .1 per KLOC? doesn't really matter) is much, much larger than the avg 10 vulns per day we are finding, and the gap is widening. Discovered vulnerabilities are "comfort food" and distracting if we honestly believe that the true threats are zero-day attacks (exploits against discovered vulns that no good guys know about). To evaluate economics at the point of disclosure is too late because by then it is out of our collective hands – that’s the whole problem to begin with, that we can’t control the process at that point. Discovery is where we should be placing more emphasis. See http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html for more info.
Here is a model for you: (LOCe (existing lines of code) + LOCd (new lines of code created daily)) x Vulnerability Density (5 per 1000 LOC? .1 per KLOC? doesn’t really matter) is much, much larger than the avg 10 vulns per day we are finding, and the gap is widening. Discovered vulnerabilities are “comfort food” and distracting if we honestly believe that the true threats are zero-day attacks (exploits against discovered vulns that no good guys know about).

]]> http://emergentchaos.com/archives/2005/01/i-am-so-a-dinosaur.html/comment-page-1#comment-311 Iang Wed, 26 Jan 2005 18:11:08 +0000 http://emergentchaos.com/?p=413#comment-311 Has anyone modelled in economics terms why disclosure is better than the alternate(s) ? Has anyone modelled in economics terms why disclosure is better than the alternate(s) ?

]]>