Interesting People mailing list archives
Is finding security holes a good idea?
From: David Farber <dave () farber net>
Date: Thu, 10 Jun 2004 15:05:30 -0400
Begin forwarded message: From: Eric Rescorla <ekr () rtfm com> Date: June 10, 2004 2:55:41 PM EDT To: dave () farber net Subject: Is finding security holes a good idea? IP readers interested in systems security may be interested in reading my paper from the Workshop on Economics and Information Security '04. The problem I've been working on is whether trying to find vulnerabilities in software is a socially valuable activity. This paper represents my first rough attempts to answer this question. It's nothing like definitive, but I do think it raises some disturbing questions. Is finding security holes a good idea? Eric Rescorla RTFM, Inc. A large amount of effort is expended every year on finding and patching security holes. The underlying rationale for this activity is that it increases welfare by decreasing the number of bugs available for discovery and exploitation by bad guys, thus reducing the total cost of intrusions. Given the amount of effort expended, we would expect to see noticeable results in terms of improved software quality. However, our investigation does not support a substantial quality improvement--the data does not allow us to exclude the possibility that the rate of bug finding in any given piece of software is constant over long periods of time. If there is little or no quality improvement, then we have no reason to believe that that the disclosure of bugs reduces the overall cost of intrusions. Paper: http://www.dtc.umn.edu/weis2004/rescorla.pdf Slides: http://www.dtc.umn.edu/weis2004/weis-rescorla.pdf -Ekr ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Is finding security holes a good idea? David Farber (Jun 10)