Skip to main content
SpringerLink
Log in

How to Buy Better Testing Using Competition to Get the Most Security and Robustness for Your Dollar

  • Conference paper
  • First Online:
Infrastructure Security (InfraSec 2002)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2437))

Included in the following conference series:

Abstract

Without good testing, systems cannot be made secure or robust. Without metrics for the quality and security of system components, no guarantees can be made about the systems they are used to construct. This paper describes how firms can make the testing process faster and more cost effective while simultaneously providing a reliable metric of quality as one of the outputs of the process. This is accomplished via a market for defect reports, in which testers maximize profits by minimizing the cost of finding defects. The power of competition is harnessed to ensure that testers are paid a fair price for the defects they discover, thereby aligning their incentives with those of the firm developing the system. The price to find, demonstrate, and report a defect that is set by the market serves as the measure of quality.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Akerlof, G.A.: The market for ‘lemons’: Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84 (1970) 488–500

    Article  Google Scholar 

  2. Anderson, R.: Why information security is hard, an economic perspective. In: 17th Annual Computer Security Applications Conference. (2001)

    Google Scholar 

  3. Schechter, S.E.: Quantitatively differentiating system security. In: The First Workshop on Economics and Information Security. (2002)

    Google Scholar 

  4. Silverman, R.D.: A cost-based security analysis of symmetric and asymmetric key lengths. http://wwww.rsasecurity.com/rsalabs/bulletins/bulletin13.html (2001)

  5. Brady, R.M., Anderson, R.J., Ball, R.C.: Murphy’s law, the fitness of evolving species, and the limits of software reliability. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/babtr.pdf (1999)

  6. Camp, L.J., Wolfram, C.: Pricing security. In: Proceedings of the CERT Information Survivability Workshop. (2000) 31–39

    Google Scholar 

  7. Aslam, T., Krsul, I., Spafford, E.: Use of a taxonomy of security faults. In: 19th National Information Systems Security Conference. (1996)

    Google Scholar 

  8. Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws. ACM Computing Surveys 26 (1994) 211–254

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Harvard University, USA

    Stuart Schechter

Authors
  1. Stuart Schechter
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Wisconsin-Milwaukee, 53201, Milwaukee, WI, USA

    George Davida

  2. TechTegrity LLC, P.O. Box 2125, 07091, Westfield, NJ, USA

    Yair Frankel

  3. Hewlett-Packard Laboratories, Filton Road, Stoke Gifford, BS34 8QZ, Bristol, UK

    Owen Rees

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Schechter, S. (2002). How to Buy Better Testing Using Competition to Get the Most Security and Robustness for Your Dollar. In: Davida, G., Frankel, Y., Rees, O. (eds) Infrastructure Security. InfraSec 2002. Lecture Notes in Computer Science, vol 2437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45831-X_6

Download citation

  • DOI: https://doi.org/10.1007/3-540-45831-X_6

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-44309-4

  • Online ISBN: 978-3-540-45831-9

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation