Tuesday, June 12, 2007

Vulnerabilty v. Threat

Jeremiah Grossman's analysis of the MSNBC stock contest cheat.

It seems to me that this sort of flaw would rise to the surface quickly from a threat perspective, but slower from a vulnerability perspective. I'm not sure why though.


Alex said...


Do you mean to say there that this seems like the kind of vulnerability easily overlooked in development/scanning, but would be quick to be discovered by threat agents?

If so, I would suggest that is the case for the following reason:

We (as an industry) are really bad at integrating security into design documentation.

This is not a flaw that automated examination would necessarily turn up. It would take a pretty sophisticated audit of functionality, and even in the cases where those sorts of audits are done, it's usually done from a "user interface" standpoint, not a "user experience" standpoint.

It's a limited market, but we could get into "user experience" based penetration testing for MMORPGs and such - get paid to play!

Dutcher Stiles said...

Elegantly put, Mr. H. And after a cup of coffee, I think that's what I'm trying to say.

"User experience" seems key. Security may be tied to HMI but could be seen as a less critical to the programmers than the lower level functions tied more directly to the code and data (e.g., input verification).