Is finding security holes a good idea?
Eric Rescorla
ekr at rtfm.com
Thu Jun 10 14:37:06 EDT 2004
Cryptography readers who are also interested in systems security may be
interested in reading my paper from the Workshop on Economics
and Information Security '04:
Is finding security holes a good idea?
Eric Rescorla
RTFM, Inc.
A large amount of effort is expended every year on finding and
patching security holes. The underlying rationale for this activity
is that it increases welfare by decreasing the number of bugs
available for discovery and exploitation by bad guys, thus reducing
the total cost of intrusions. Given the amount of effort expended,
we would expect to see noticeable results in terms of improved
software quality. However, our investigation does not support a
substantial quality improvement--the data does not allow us to
exclude the possibility that the rate of bug finding in any given
piece of software is constant over long periods of time. If there is
little or no quality improvement, then we have no reason to believe
that that the disclosure of bugs reduces the overall cost of
intrusions.
Paper: http://www.dtc.umn.edu/weis2004/rescorla.pdf
Slides: http://www.dtc.umn.edu/weis2004/weis-rescorla.pdf
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list