Home page logo

dailydave logo Dailydave mailing list archives

Re: Faster, smashter. (fwd)
From: sinan.eren () immunitysec com
Date: Tue, 9 Dec 2008 21:19:11 -0500 (EST)

(moderator: retry from subscribed account)

I have been thinking about a potential futures market model to hedge the risk 
of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that 
could be tied into Microsoft's exploitability index to determine the premium on 
the future contract ? Hedgers (companies, govermantal institutions, military 
etc.) could than purchase these contracts from speculators (these could be us) 
to tie their risk into a dollar amount. On the other hand researchers can sell 
these contracts if they feel strongly about a software or inversely, buy these 
contracts to cash in their 0day when it hits the public domain. We need a fair 
market place for 0day (outside of the 2 known players whose model benefits no 
one) and I believe futures market model is the way to go. After all if you can 
hedge your exposure to weather, why can't you hedge it against 0day ? It is not 
as crazy as it sounds ....

I would appreciate ideas to tie the value of a vulnerability to a premium, any 
quants who do security as well ?


On Tue, 9 Dec 2008, Dave Aitel wrote:

 Hash: SHA1

 One technique we're doing this week with a client is taking an attack
 tree and marking it up with dollar values. I.E. if you wanted to buy
 an 0day in X component, how much would it cost?

 This then is a simple summation to produce a "how much is it to get
 into the internal network from the internet" which the business can
 use to help them decide yay/nay on the project as a whole depending on
 their own view of the threat and the value of the information they are


 Halvar Flake wrote:
 Hey all,

 It seems that discussions in ITsec are periodic -- the same
 discussions and same arguments come up again and again.

 1. Of course attackers use new vulnerabilities. It is the nature of
 offense. Defense is done "to the maximum of current knowledge".
 Offense, by it's nature, has to expand on the status quo.

 2. How do you simulate an attack with a new vulnerability if you
 don't have one ?

 Well, military folks do wargames all the time without actually
 using up the arsenal they have on the shelves. Network attacks
 should probably be done in a similar manner -- have an umpire, and
 give the attacking team a few "0day cards". With these cards they
 get high-probability code execution for a piece of software of
 their choice.

 The pentest then proceeds like a game, but can be conducted on the
 real network, too.

 But I am repeating myself ...

 Cheers, Halvar _______________________________________________
 Dailydave mailing list Dailydave () lists immunitysec com

 Version: GnuPG v1.4.6 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


 Dailydave mailing list
 Dailydave () lists immunitysec com

Dailydave mailing list
Dailydave () lists immunitysec com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]