[Dailydave] The Week of Oracle Database Bugs
Dave Aitel
dave at immunityinc.com
Mon Nov 27 11:15:01 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I don't think it is an angels-on-a-pin question. When it comes to
valuing vulnerabilities you have to take into account the
"obviousness" of a particular vulnerability. This goes directly into
cost because it speaks to the lifespan of the vulnerability. Not only
do you have to worry about automated technologies finding your
vulnerability as they get slightly better over time, but you have to
think about how many other people have the skill, the time, and the
inclination to find that particular fish.
For example, bugs found with fuzzers are rarely worth a lot of money.
As Sinan says, "Fish caught with a wide net go brown quickly".
In other words, economically, releasing SPIKE as GPL was a way to
clean out a lot of fish from the shallows quickly, so that the smaller
fishing crews would go get jobs at a factory. Finding a deep sea fish
can take months, and exploiting it, more months. But at the end, it's
something that lasts for years. A Leviathan, unseen.
Of course, it is impossible to place a metric on "obviousness" which
is why patents are such a horrible tool for social manipulation and
why valuing vulnerabilities is still mostly gut feel.
- -dave
dan at geer.org wrote:
> The nuance I was trying to get across is this: If and when I
> disover a vulnerability, it is prudent on my part (as a researcher)
> to assume that someone else has already discovered that vuln.
> Perhaps the most conservative position is that if I discover a
> vuln, I should not only assume that it has been previously
> discovered by persons unknown but that as well as being already
> discovered it is already in use. If I take such a conservative
> position, then it might be also a conservative position that the
> first activity should be to mitigate the attack vector the vuln
> represents and, only after that is done, turn one's attention to
> removing the vuln itself.
>
> This may, of course, be much like debating how many angels can fit
> on the head of a pin.
>
> --dan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFFaw8DB8JNm+PA+iURAjqTAJ9zR3I1vvJh2yyWnelj7wNNtgKppQCg3LtO
Kx1E43aEQvK3Ry8tBasR+Po=
=zUUa
-----END PGP SIGNATURE-----
More information about the Dailydave
mailing list