Economics of Software Vulnerabilities

[mudge at uidzero.org (mudge)]

On Mar 21, 2007, at 3:57 PM, Arian J. Evans wrote:

> Spot on thread, Ed:
>
> On 3/20/07, Ed Reed <ed.reed at aesec.com> wrote:
> Not all of these are consumer uprisings - some are, some aren't -  
> but I think they're all examples of the kinds of economic  
> adjustments that occur in "mature" markets.
> "Unsafe at any speed" (the triumph of consumer safety over  
> industrial laziness)
> Underwriter Laboratories (the triumph of the fire insurance  
> industry over shoddy electrical manufacturers)
> VHS (vs BetaMax - the triumph of content over technology)

Sorry, but I couldn't help but be reminded of an old L0pht topic that  
we brought up in January of 1999. Having just re-read it I found it  
still relatively poignant: Cyberspace Underwriters Laboratories[1].

It seems to me that a lot of what was of concern then is still of  
concern now and without great headway being made over these last 8  
years.

Some note-able items (warning, these are subjective and broad- 
stroked)  have been the commercial world eschewing TCSEC / Common  
Criteria[2], FIPS 140 being useful for some relatively niche areas  
and focusing on only portions of a device/component/code, and Trusted  
Computing really veering away from trusted computing platforms and  
codebases for classical security compartmentalization and instead  
focusing on DRM[3].

Just thinking out loud.

cheers,

.mudge

[1] http://packetstormsecurity.org/docs/infosec/cyberul.html
[2] often times due to requiring frameworks and configuration  
capabilities that end up not being used or too complicated for many  
people to customize.
[3] back to the thread topic somewhat... being economics based.