Putting this into perspective, Windows Vista has approximately 70 million lines of
code. A 2006 study sponsored by the Department of Homeland Security and carried out
by a team of researchers centered at Stanford University, concluded that there is an average
of about one bug or flaw in every 2,000 lines of code. This extrapolates to predict
that Windows Vista has about 35,000 bugs in it. If the security researchers demand their
$10,000 to $15,000 ($12,500 average) compensation per bug, the cost to identify the
bugs in Windows Vista approaches half a billion dollars??”again, at a minimum.
Can the software development industry afford to pay this? Can they afford not to pay
this? The path taken will probably lie somewhere in the middle.
Zero Day Initiative
Another method for reporting vulnerabilities that is rather unique is the Zero Day Initiative
(ZDI). What makes this unique is the method in which the vulnerabilities are used.
The company involved, TippingPoint (owned by 3Com), does not resell any of the vulnerability
details or the code that has been exploited. Instead they notify the vendor of
the product and then offer protection for the vulnerability to their clients. Nothing too
unique there; what is unique though, is that after they have developed a fix for the vulnerability,
they offer the information about the vulnerability to other security vendors.
Pages:
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199