Dailydave mailing list archives
Re: Faster, smashter. (fwd)
From: sinan.eren () immunitysec com
Date: Tue, 9 Dec 2008 21:19:11 -0500 (EST)
(moderator: retry from subscribed account) I have been thinking about a potential futures market model to hedge the risk of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that could be tied into Microsoft's exploitability index to determine the premium on the future contract ? Hedgers (companies, govermantal institutions, military etc.) could than purchase these contracts from speculators (these could be us) to tie their risk into a dollar amount. On the other hand researchers can sell these contracts if they feel strongly about a software or inversely, buy these contracts to cash in their 0day when it hits the public domain. We need a fair market place for 0day (outside of the 2 known players whose model benefits no one) and I believe futures market model is the way to go. After all if you can hedge your exposure to weather, why can't you hedge it against 0day ? It is not as crazy as it sounds .... I would appreciate ideas to tie the value of a vulnerability to a premium, any quants who do security as well ? -sinan On Tue, 9 Dec 2008, Dave Aitel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One technique we're doing this week with a client is taking an attack tree and marking it up with dollar values. I.E. if you wanted to buy an 0day in X component, how much would it cost? This then is a simple summation to produce a "how much is it to get into the internal network from the internet" which the business can use to help them decide yay/nay on the project as a whole depending on their own view of the threat and the value of the information they are protecting. -dave Halvar Flake wrote:Hey all, It seems that discussions in ITsec are periodic -- the same discussions and same arguments come up again and again. 1. Of course attackers use new vulnerabilities. It is the nature of offense. Defense is done "to the maximum of current knowledge". Offense, by it's nature, has to expand on the status quo. 2. How do you simulate an attack with a new vulnerability if you don't have one ? Well, military folks do wargames all the time without actually using up the arsenal they have on the shelves. Network attacks should probably be done in a similar manner -- have an umpire, and give the attacking team a few "0day cards". With these cards they get high-probability code execution for a piece of software of their choice. The pentest then proceeds like a game, but can be conducted on the real network, too. But I am repeating myself ... Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc JRFeXEvy4EJeg5gkuXxC2ZU= =6PWU -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Faster, smashter. (fwd) sinan . eren (Dec 09)
- Re: Faster, smashter. (fwd) security curmudgeon (Dec 09)
- Re: Faster, smashter. (fwd) BEES INC (Dec 10)
- Re: Faster, smashter. (fwd) Jon Passki (Dec 10)
- Re: Faster, smashter. (fwd) BEES INC (Dec 11)
- Re: Faster, smashter. (fwd) Jon Passki (Dec 11)
- Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 16)
- Message not available
- Re: Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 17)
- Re: Faster, smashter. (fwd) Jon Passki (Dec 10)
- Re: Faster, smashter. (fwd) Matthew Wollenweber (Dec 11)