How to Buy Better Testing Using Competition to Get the Most Security and Robustness for Your Dollar
Without good testing, systems cannot be made secure or robust. Without metrics for the quality and security of system components, no guarantees can be made about the systems they are used to construct. This paper describes how firms can make the testing process faster and more cost effective while simultaneously providing a reliable metric of quality as one of the outputs of the process. This is accomplished via a market for defect reports, in which testers maximize profits by minimizing the cost of finding defects. The power of competition is harnessed to ensure that testers are paid a fair price for the defects they discover, thereby aligning their incentives with those of the firm developing the system. The price to find, demonstrate, and report a defect that is set by the market serves as the measure of quality.
KeywordsTesting Process Reward Function Security Vulnerability Mean Time Between Failure Defect Report
Unable to display preview. Download preview PDF.
- 2.Anderson, R.: Why information security is hard, an economic perspective. In: 17th Annual Computer Security Applications Conference. (2001)Google Scholar
- 3.Schechter, S.E.: Quantitatively differentiating system security. In: The First Workshop on Economics and Information Security. (2002)Google Scholar
- 4.Silverman, R.D.: A cost-based security analysis of symmetric and asymmetric key lengths. http://wwww.rsasecurity.com/rsalabs/bulletins/bulletin13.html (2001)
- 5.Brady, R.M., Anderson, R.J., Ball, R.C.: Murphy’s law, the fitness of evolving species, and the limits of software reliability. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/babtr.pdf (1999)
- 6.Camp, L.J., Wolfram, C.: Pricing security. In: Proceedings of the CERT Information Survivability Workshop. (2000) 31–39Google Scholar
- 7.Aslam, T., Krsul, I., Spafford, E.: Use of a taxonomy of security faults. In: 19th National Information Systems Security Conference. (1996)Google Scholar