RE: Paper announcement: Is finding security holes a good idea?

From: Daniel Whelan (daniel.whelan_at_kickapoocheese.com)
Date: 01/22/04

  • Next message: Oliver Friedrichs: "Re: Paper announcement: Is finding security holes a good idea?"
    To: <bugtraq@securityfocus.com>
    Date: Thu, 22 Jan 2004 09:37:45 -0600
    
    

    I am in a sinking ship. The water flows in at a constant rate and does
    not diminish. I begin bailing.

    After a little while, I notice that my efforts have had no 'measurable
    effect'; the level of water in my ship has not gone down, so I decide to
    focus my attention on trimming the sails or 'other' work . . .

    Granted, the analogy is not perfect, but it holds some truth.

    -----Original Message-----
    From: Eric Rescorla [mailto:ekr@rtfm.com]
    Sent: Wednesday, January 21, 2004 5:42 PM
    To: bugtraq@securityfocus.com
    Subject: Paper announcement: Is finding security holes a good idea?

    Bugtraq readers might be interested in this paper:

                       Is finding security holes a good idea?

                                 Eric Rescorla
                       RTFM, Inc. <http://www.rtfm.com/>

    A large amount of effort is expended every year on finding and patching
    security holes. The underlying rationale for this activity is that it
    increases welfare by decreasing the number of bugs available for
    discovery and exploitation by bad guys, thus reducing the total cost of
    intrusions. Given the amount of effort expended, we would expect to see
    noticeable results in terms of improved software quality. However, our
    investigation does not support a substantial quality improvement--the
    data does not allow us to exclude the possibility that the rate of bug
    finding in any given piece of software is constant over long periods of
    time. If there is little or no quality improvement, then we have no
    reason to believe that that the disclosure of bugs reduces the overall
    cost of intrusions.

    The paper can be downloaded from: http://www.rtfm.com/bugrate.pdf
    http://www.rtfm.com/bugrate.ps


  • Next message: Oliver Friedrichs: "Re: Paper announcement: Is finding security holes a good idea?"