Paid Advertising
web application security lab

Some Possible Insights into Geo-Economics of Security

38 more posts left…

I first started thinking about this when I talked to a friend from Vietnam a year or so ago regarding his CISSP. Once upon a time it was nearly impossible to find someone in Vietnam with a CISSP. At first I thought he was making some sort of joke about the usefulness of the certificate, but for some things in Vietnam it’s really a hot commodity. It turns out that the cost of living there makes a CISSP almost totally not worth it. Even though it’s expensive in the United States (where I live) respective to the wages in Vietnam it’s weeks or even a month worth of work. Therefore the rate at which a certificate would be awarded is less, not because of skill, know-how or anything else. It’s purely economics. Slowly that has changed and more people now have it than before in Vietnam, but it’s still not equal as a percentage compared to the USA, for instance, from what I was told.

That got me thinking about other issues that are relatively the same. For instance SSL/TLS certificates. Buying a certificate to allow for transport security is a good idea if you’re worried about man in the middle attacks. Yes, that’s true even despite what I’m going to tell you in my Blackhat presentation where Josh Sokol and I will be discussing 24 different issues of varying severity with plugins and browsers in general. But when you’re in another country where the cost of running your website is a significant investment compared to the United States, suddenly the fees associated with the risks are totally lopsided. So this may be why you might see a lower adoption rate of certificates in certain regions. More importantly there really is no long term reason the security industry can’t create a free certificate authority (over DNSSEC for instance) that provides all the same security or more even without the costs - therefor making it a more equal playing field.

Lastly I started thinking about bug bounties and how they work almost opposite. Unlike security, where the cost is high for playing, hacking can be much more lucrative based on your geo-economic situation. For instance, a $3000 bug bounty for something that takes two weeks to work on equates to a $78k a year job if you can be consistent. In the United States for a skilled researcher that’s barely worth the time. But in a country where the average income is closer to $10k a year, something like this might highly incentivize researchers to focus on attack verses defense, which few can afford. Anyway, I thought it was an interesting concept that may play out entirely different in reality, but it was a fun thought exercise.

9 Responses to “Some Possible Insights into Geo-Economics of Security”

  1. Sullo Says:

    $78k a year is a decent living in the US, especially if you are a high school or college student and good enough to be consistent. Even if you cut that in half due to studies and/or skill, that’s still probably more than most full-time students make at their part time jobs.

    I would have been living large if i’d made a quarter of that back in college…

  2. RSnake Says:

    Yeah, that’s why I said skilled. I meant more for the guys who’ve been doing this for 10+ years.

  3. Denis Says: is providing free certificates. Though you have to be “trusted” to get a long-term certificate and the CA is not (yet?) included in the common browsers CA-list.

  4. RSnake Says:

    @Denis - yeah, unfortunately both of those things are kinda deal breakers.

    @Sullo - I forgot to mention the $78k is with no vacation time and doesn’t come with health benefits/insurance, etc…. So it’s really not as good as it sounds.

  5. Ari E-B Says:

    Definitely an interesting approach, but there’s another aspect to be considered. If you live somewhere with a lower standard of living so that the fixed price bounty is worth more to you, you probably also live in a place with less tech-savvy law enforcement, so there is less risk (and more reward) to finding “alternative” methods of monetizing your vulnerability findings.

  6. AppSec Says:

    It’s an interesting concept, but is this really comparing apples to apples?

    I’m flipping back and forth on it.. But to me, a person getting a CISSP is a voluntary choice which has no impact on others (we can open the whole value of certificate conversation, but it’s probably not where this conversation is intended to go). A corporation not implementing SSL directly impacts users/customers not to mention potential regluatory compliance needs.

  7. RSnake Says:

    @AppSec - interesting point. I bet the compliance/regulatory angle is the one of the only reason people have certs in some countries. Otherwise, it’s even less likely. For instance a small portal with nothing but a forum to protect might normally have a cert in the USA but there’d be almost no reason it could be worth it in some other countries.

  8. Wladimir Palant Says:

    Robert, one can get free certificates from StartCom and these are accepted by pretty much all browsers by now. So in principle everybody should be able to afford SSL certificates. Of course they will only give you certificates for free that list the domain name and a single host in this domain. Once you need alternative names or even wildcards (and most larger sites probably do) things get different. Also, there are no free options for application/object signing from what I know.

  9. VO Says:

    Congrats, you figured out why Brazilians/Russians/Chinese are doing it :)