 |
 |
|
January 30, 2004Is finding security holes a good idea?Eric Rescorla released a research paper this week looking at how effective bug reporting of security holes may be. His abstract goes a long way to explain his research: A large amount of effort is expended every year on finding and patching security holes. The underlying rationale for this activity is that it increases welfare by decreasing the number of bugs available for discovery and exploitation by bad guys, thus reducing the total cost of intrusions. Given the amount of effort expended, we would expect to see noticeable results in terms of improved software quality. However, our investigation does not support a substantial quality improvement--the data does not allow us to exclude the possibility that the rate of bug finding in any given piece of software is constant over long periods of time. If there is little or no quality improvement, then we have no reason to believe that that the disclosure of bugs reduces the overallInteresting insight here. Posted by SilverStr at January 30, 2004 01:01 AM | TrackBack Comments
there's another problem: since big money is put in researching security holes, this findings are free to exploiters, who can target yet-to-be-patched servers. Long ago I lived in a city on the East Coast of the US which was infested by cockroaches. There were quite a few of the arthropod persuasion in the apartment I was in. After killing them at every opportunity for several months, I noticed that there was no decrease in the number of cockroaches. I decided to not bother myself about them and stopped killing them. It was only a few days, really, until they were in my shoes and clothes in the morning, and on my face when I was sleeping. I went back to killing them, seeking and destroying with a vengeance. Their numbers dropped significantly, below the original level, but never to zero - and stabilized at a new equilibrium state. This seems appropriately analogous to the finding and patching of security problems in software. The analogy to citizens dealing and failing to deal with cockroaches of the political primate persuasion in that same city seems clear enough without further comment. Posted by: Jim Pivonka at February 2, 2004 12:04 PM |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
December 2005
November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
