“It is time to examine the economics of depriving cyber criminals' access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices,” proposed Stefan Frei, research director of NSS Labs. A report titled “International Vulnerability Purchase Program,” states, “If all of the vulnerabilities for all products are purchased at USD $150,000 each, this still would amount to less than 0.01 percent of the yearly gross domestic product (GDP) for either the US or the European Union (EU). The cost for major software vendors to purchase all of their vulnerabilities at USD $150,000 each is less than one percent of their revenue.”
“Frei’s analysis conservatively estimated that private companies which purchase software vulnerabilities for use by nation states and other practitioners of cyber espionage provide access to at least 85 zero-day exploits on any given day of the year,” wrote Brian Krebs of Krebs on Security. “That estimate doesn’t even consider the number of zero-day bugs that may be sold or traded each day in the cybercrime underground. …The market for finding, stockpiling and hoarding (keeping secret) software flaws is expanding rapidly."
“Everyone is going to use Adobe Flash or Java or Windows,” wrote Adam Kujawa, lead of the Malware Intelligence Team at Malwarebytes. “This means that said vulnerable applications are not only targeted greatly because of their widespread use but also completely unopposed in the market, which (in theory) means that they don’t have to update or patch because users will still use their products because they don’t have any competition.”
While “paying $150k for bug bounties would help the industry because more professional vulnerability researchers would opt to go the white hat route,” eliminating software flaws will not stop social engineering and web attacks which play a “massive part of the process.” Kujawa also suggested a “federally approved industry seal for software that has been tested.” Then users would know whether or not the app is secure.
You could also approach the benefits from a liability standpoint. Many banks are held liable for the loss of money from a robbery, an amusement park is liable for a ride that malfunctions and injures a guest. Why don’t we hold software developers to the same standard and when their product gets exploited, you can hold them liable for the data loss.
"Software security is a 'negative externality': like environmental pollution, vulnerabilities in software impose costs on users and on society as a whole, while software vendors internalize profits and externalise costs," Krebs explained. "Thus, absent any demand from their shareholders or customers, profit-driven businesses tend not to invest in eliminating negative externalities."
“No matter how large a vendors’ security team, it cannot compete with the combined experiences of a global group of individual specialists or organizations with diverse backgrounds, education, culture, and skills,” NSS Labs noted. Critical zero-day vulnerabilities will continue to be discovered and exploited by cyber crooks. An enforced high price as a bug bounty could be the solution. As a plus, it could put some serious hurt to exploit brokers' wallets.
I like the proposal of $150,000 per exploit, regardless of if the vulnerability is big or small, as it would keep bug hunters searching for software flaws and keep us safer as a whole. It could also help the black hat sons of Grinches decide to do the “right” white hat thing; then they might even make the nice instead of naughty list. That’s all for now. Have a very Merry Christmas and a happy New Year!
Print TAGS:bug bounty, cybercrime & hacking, NSS Labs, software vulnerabilities, zero-day TOPICS:Cybercrime and Hacking, Malware and Vulnerabilities, Security Older Post: Mind-reading dog gadget decodes barks into human-speakNewer Post: Court says no stinking suspicion required for gov't to search devices at... Our Commenting PoliciesView the discussion thread. Related Posts Apple iPhone 6 rumors rounded up by Richi: Phablets ahoy! The case against using a smartphone case Nokia's Lumia smartphone sales tank -- can Windows Phone survive it? Apple and Google want your body Android Power's 3 favorite things for January 2014 Hot PostsBlogs Home Apple's Macintosh: 30 years doomed Posted by Jonny Evans Apple iPhone 6 rumors rounded up by Richi: Phablets ahoy! Posted by Richi Jennings The case against using a smartphone case Posted by JR Raphael Browse Computerworld Blogs All Bloggers By Blogger Sharky Nicholas D. Evans Jonny Evans Sharon Gaudin Antone Gonsalves Preston Gralla Matt Hamblen Michael Horowitz Richi Jennings Barbara Krasnoff Sharon Machlis Lucas Mearian Robert L. Mitchell Chris Poelker Valerie Potter JR Raphael Darlene Storm Patrick Thibodeau Jaikumar Vijayan By BlogAndroid PowerApple HolicD.C.Defensive ComputingIT BlogwatchIT Leadership PerspectivesMachlis MusingsMobile Security TrendsPlatform AgnosticRamblin' HamblenReality CheckSecond TakeSecurity Is SexySeeing Through WindowsShark TankTech SpaceThe Interesting Bits ... and BytesThe World in Which We LiveVideo BrewWhere Tech Meets Life By TopicApplicationsCloud ComputingConsumerization of ITData CenterData StorageGovernment/IndustriesHardwareInternetManagementMobile/WirelessNetworkingOperating SystemsSecuritySee all topicsView the Original article
No comments:
Post a Comment