Speaker: Alfonso De Gregorio
How do we build a future in software security?
/me: the slides that will be posted have a ton of detail that Alfonso sped through. you’ll get a very good feel from them
Metrics are the servants of risk management and RM is about making decisions
we have incomplete information about # & severity of vulns
software products are highly defective and have no accountability
Bugs & Carrots
discussion around what software vendors are incented to do/why
features > security
bug fix > vuln fix
time to market > test/verify
M&Ms
(Markets & Metrics)
we need to put a cost on the software flaws with laws/regs & change in liability models
create feedback mechanisms (/me: open group work on security architecture?)
investment metrics to-date have challenges, especially in severity and probability of events
market-based metrics would provide a different context (e.g. stock market pricing)
create an infosec security market?
- bug challenges
- auctions
- vuln brokers
- infosec insurance
- exploit derivatives
info function / incentive function / risk balancing function efficiency – all factors in creating a vulnerability market
/me: make a table with bullets above as rows and factors list as columns to do a comparison
suggests an Exploit Derivatives market (future’s contracts for vulns)
[side-talk: discussion about derviatives vs future and how the profit incentives may be conflicting]
[side-talk: why will make software companies pay attention to what seems to be a market that only makes speculators rich?]
[side-talk: is this legal? can we get this baked into contracts?]
[side-talk: degraded convo down to responsibility of software companies]
[side-talk: interesting analogy to the airline industry needing to be in the oil futures market to software companies needing to be in this potential vuln/exploit market]
another example is weather derivatives
cites two examples of how prediction markets can incent change
cites tradesports.com and a FIFA predction market
