Stories
Slash Boxes
Comments

SoylentNews is people

RAND Study Suggests 0-Day Exploits Should be Stockpiled

posted by Fnord666 on Tuesday March 21 2017, @05:53AM   Printer-friendly
from the keep-it-to-yourself dept.

"Albert" writes:

RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.

It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.

The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.

Original Submission

 
This discussion has been archived. No new comments can be posted.
RAND Study Suggests 0-Day Exploits Should be Stockpiled | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Interesting) by Soylentbob on Tuesday March 21 2017, @06:56AM

    by Soylentbob (6519) on Tuesday March 21 2017, @06:56AM (#481988)

    From tfa:

    No vulnerability characteristics indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type.

    Yes, please... As a long term Linux-user, I'm convinced that at least in the prestigious projects (Linux, postgres, mariadb [former mysql] etc. receive patches for known zero-days pretty fast. Regarding overall code quality, open source [wikipedia.org] seems to have an edge (although I doubt this for some of the newer hipster-projects), but would be interesting to know if availability of source-code makes it significantly easier for foreign governments to find zero-days.

    The best strategy to ensure superiority and safety would IMO be to employ developers contributing to contribute to critical projects in order to gain competence, and maybe to invest in freely available static code-analysis tools. Maybe that would be a good option to sink some of the defence-budget. Since Trump was demanding Europe to increase their defence-spending, that might be a good first step :-)

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   2