Monday, July 16, 2007

So what about WabiSabiLabi?

I've been meaning to use this blog on a regular basis, but never seem to get around to it. So instead of waiting for the new year and a New Year's resolution, I'm resolving to do it today.

WabiSabiLabi has been getting a huge amount of press, including mainstream press like Forbes and The Washington Post.

Most of the coverage has been pretty negative, about how this may encourage black hats to find problems and sell them to the bad guys (where the definition of "bad guys" is dependent on where you stand, but frequently includes foreign governments). I think these criticisms are all valid, but there's also one positive aspect: they make ROI (Return on Investment) real.

For many years, security people have had a hard time justifying why anyone should spend money on security. It's the "fear" and "insurance" arguments - "if you don't invest in security now, your site might get hacked". But we've never been able to justify how much to spend - it's never possible to solve all the problems, but how much is enough? What WabiSabiLabi offers is a free market in figuring out how much is enough.

If I'm a software vendor, and a vulnerability in my product shows up in WabiSabiLabi, I have a few choices:
  • Buy it myself (and presumably fix it for my customers)
  • Wait for someone else to buy it, and hope they don't use it to attack my customers
  • Hope no one buys it
If the result is the first, I know how much I have to spend to keep the vulnerability out of a competitor's hands. If it's the second, I know how much a vulnerability in my product is worth to a bad guy (or a competitor), and that gives an indication of how much I might want to invest to prevent it from happening again. If it's the third, I know that no one is willing to pay enough to satisfy the bug finder, so perhaps addition security spending isn't needed.

Obviously, one data point isn't enough to come to any conclusions, but if they get substantially more than the four bugs currently up for sale, we might be able to draw some conclusions about the dollar (or euro or ...) value of security.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home