Paper announcement: Is finding security holes a good idea?

From: Eric Rescorla (ekr_at_rtfm.com)
Date: 01/22/04

  • Next message: Tim Yamin: "[ GLSA 200401-02 ] Honeyd remote detection vulnerability via a probe packet" 
    To: bugtraq@securityfocus.com
Date: Wed, 21 Jan 2004 15:41:32 -0800

    Bugtraq readers might be interested in this paper:

                       Is finding security holes a good idea?

                                 Eric Rescorla
                       RTFM, Inc. <http://www.rtfm.com/>

    A large amount of effort is expended every year on finding and patching
    security holes. The underlying rationale for this activity is that it
    increases welfare by decreasing the number of bugs available for
    discovery and exploitation by bad guys, thus reducing the total cost of
    intrusions. Given the amount of effort expended, we would expect to see
    noticeable results in terms of improved software quality. However, our
    investigation does not support a substantial quality improvement--the
    data does not allow us to exclude the possibility that the rate of bug
    finding in any given piece of software is constant over long periods of
    time. If there is little or no quality improvement, then we have no
    reason to believe that that the disclosure of bugs reduces the overall
    cost of intrusions.

    The paper can be downloaded from:
    http://www.rtfm.com/bugrate.pdf
    http://www.rtfm.com/bugrate.ps

  • Next message: Tim Yamin: "[ GLSA 200401-02 ] Honeyd remote detection vulnerability via a probe packet"

    Relevant Pages

    • Re: alt.net.wireless.NOT.FILLED.WITH ANAL RETENTIVE.PRICKS
      ... mixture of equipment from different vendors. ... As for improved compatibility, methinks you're 99% correct. ... Many older products have remained frozen with permanent frimware bugs. ... is not the lack of quality but rather the vendors and customers ...
      (alt.internet.wireless)
    • Re: Power Director v6 video editor?
      ... Studio Pro HD, Video Studio 11 Plus, Power Director 5, Nero Express Vision, ... The vast majority have lots of small bugs ... Price and quality are only weakly related ... I visited the Sony Vegas Movie Studio Web forum to see what ...
      (rec.video.desktop)
    • Re: alt.net.wireless.NOT.FILLED.WITH ANAL RETENTIVE.PRICKS
      ... Many older products have remained frozen with permanent frimware bugs. ... issue there was cost pressure, brought on by a market driven mostly by price ... is not the lack of quality but rather the vendors and customers ... The customer (market) perception is the only one that really matters. ...
      (alt.internet.wireless)
    • Re: First day with production development on D2005
      ... > before it is released and should have the highest quality possible. ... > that your customers accept a product which is full of bugs which can ... reasonable time frame and budget as either of us would desire. ... Larry ...
      (borland.public.delphi.non-technical)
    • Re: Ideas on "Why Living Dangerous can be A Good Thing" in Ruby?
      ... > twice the amount to write, and, more importantly twice the amount to ... > Maybe 5% of my simplest bugs are detected by them. ... declarations as a language without type-inference? ... Will programmers who passively suffer compiler type-checking detect as ...
      (comp.lang.ruby)