A taxonomy of computer program security flaws
ACM Computing Surveys (CSUR)
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge
IEEE Transactions on Software Engineering
A market-based approach to software evolution
Proceedings of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications
Proceedings of the FSE/SDP workshop on Future of software engineering research
Rethinking the economics of software engineering
Proceedings of the FSE/SDP workshop on Future of software engineering research
Formal analysis of security metrics and risk
WISTP'11 Proceedings of the 5th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication
Systematic security assessment at an early processor design stage
TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
| Hi-index | 0.00 |
Without good testing, systems cannot be made secure or robust. Without metrics for the quality and security of system components, no guarantees can be made about the systems they are used to construct. This paper describes how firms can make the testing process faster and more cost effective while simultaneously providing a reliable metric of quality as one of the outputs of the process. This is accomplished via a market for defect reports, in which testers maximize profits by minimizing the cost of finding defects. The power of competition is harnessed to ensure that testers are paid a fair price for the defects they discover, thereby aligning their incentives with those of the firm developing the system. The price to find, demonstrate, and report a defect that is set by the market serves as the measure of quality.