Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is a globally recognized cybersecurity leader, Executive Director of The Monterey Group, a strategic consulting firm, and Consulting Director for Policy Reform at the U.S. Cyber Consequences Unit. Called upon by high-performance organizations for his ability to achieve, integrate, and drive deep corporate objectives in the face of globalized competition, rapid technological advances, and increased sophistication of cyber adversaries, David is a key figure shaping the discussion and practice of cybersecurity.

    Prior to his current roles, David served as an Global Network Vulnerability Analyst for the National Security Agency and Special Duty Cryptologic Officer for the United State Navy. The U.S. government recognized and awarded David for “significant contributions” to the Department of Defense and the National Security Agency for developing security configuration and design guidance for critical national infrastructure and global networks.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« Interview on Beast or Buddha | Main | Geekonomics on The Morning Show with Dorothy and Brian, KUSA »

July 30, 2008

Who is Better at Subsidizing Mediocrity?

IBM X-Force just released a report about who is better at discovering software vulnerabilities. It hammers independent researchers. 

IBM X-Force report slams independent security researchers

To quote:

The report was critical of independent security researchers, drawing attention to statistics that showed independent researchers are almost twice as likely to have exploit code published on the same day as their vulnerability disclosure than vendor-driven research organizations. Over the past year and a half, independent researchers discovered 70% of all vulnerabilities that were not anonymously disclosed, but vendor research organizations found 80% of critical vulnerabilities, meaning those with a Common Vulnerability Scoring System (CVSS) base score of 10.

"You have to ask yourself whether you're providing more responsive patching and protection techniques, or are you doing it for self driven egocentric reasons," said Kris Lamb, director of IBM's X-Force research

No. This is the wrong question. You have to ask yourself why security researchers are doing for free what software manufacturers should be doing themselves more comprehensively before releasing their products.

Whether it is independent researchers or vendor research organizations, it makes no matter. Both are subsidizing substandard manufacturing practices for one of the most lucrative and profitable industries on earth. Researchers of all stripes are providing a free service to software manufacturers by discovering vulnerabilities software manufacturers should have detected - or better yet, avoided - in the first place.

In short, the argument of who is better or more responsible at discovering vulnerabilities is childish, vain, and incomprehensibly short-sighted.  It is a stop gap practice that has become status quo. It perpetuates bad software, subsidizes mediocrity, and shields manufacturers for bearing the burden they should rightly bear.

"But if we don't do it, people will be at risk," might be the ardent reply. And the answer would be, "You're right."

This is prime example of market failure. Where the players cannot self correct. We cannot stop discovering vulnerabilities because we would be worse off if we did...but we also perpetuate the problem by doing so.

Security researchers are doing far less good than they believe and should avoid squabbling over who is better at doing the job software manufacturers have abdicated to victims.


Posted on July 30, 2008 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54f9408a3883400e553c393598833

Listed below are links to weblogs that reference Who is Better at Subsidizing Mediocrity?:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.