[IP] Is finding security holes a good idea?
Begin forwarded message:
From: Eric Rescorla <ekr@xxxxxxxx>
Date: June 10, 2004 2:55:41 PM EDT
To: dave@xxxxxxxxxx
Subject: Is finding security holes a good idea?
IP readers interested in systems security may be interested in reading
my paper from the Workshop on Economics and Information Security '04.
The problem I've been working on is whether trying to find
vulnerabilities in software is a socially valuable activity. This paper
represents my first rough attempts to answer this question. It's nothing
like definitive, but I do think it raises some disturbing questions.
Is finding security holes a good idea?
Eric Rescorla
RTFM, Inc.
A large amount of effort is expended every year on finding and
patching security holes. The underlying rationale for this activity
is that it increases welfare by decreasing the number of bugs
available for discovery and exploitation by bad guys, thus reducing
the total cost of intrusions. Given the amount of effort expended,
we would expect to see noticeable results in terms of improved
software quality. However, our investigation does not support a
substantial quality improvement--the data does not allow us to
exclude the possibility that the rate of bug finding in any given
piece of software is constant over long periods of time. If there is
little or no quality improvement, then we have no reason to believe
that that the disclosure of bugs reduces the overall cost of
intrusions.
Paper: http://www.dtc.umn.edu/weis2004/rescorla.pdf
Slides: http://www.dtc.umn.edu/weis2004/weis-rescorla.pdf
-Ekr
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/