Is finding security holes a good idea?

lists at notatla.org.uk lists at notatla.org.uk
Fri Jun 11 17:13:15 EDT 2004 

From: Eric Rescorla <ekr at rtfm.com>

>    Is finding security holes a good idea?
 
>Paper:    http://www.dtc.umn.edu/weis2004/rescorla.pdf
>Slides:   http://www.dtc.umn.edu/weis2004/weis-rescorla.pdf

In section 1 there's a crucial phrase not properly followed up:
    "significant opportunity cost since these researchers
     could be doing other security work instead of finding
     vulnerabilities".
What "other security work" is being used for comparison ?
    - finding and fixing non-program flaws (such as in configuration)
          I do a lot of this - and I'm not about to run out of it.
          I know that _finding_ the flaws is easy.  Even finding
          many of them systematically is easy.  Fixing them is
          often gets stuck on the problem of that's Fred's piece
          of work and he doesn't feel like doing it.
    - fixing long-known and neglected bugs (are there many ?)
    - accelerating patch uptake
    - technical work on tolerant architectures/languages etc
    - advocacy work on tolerant architectures/languages etc
          (Where's Howard Aitken when you need him ?)
    - forensics
    - other ?

Footnote 1 mentions an indirect effect of vulnerability research.
Another one would be programmer education - but reporting yet
another bug of a common type seems to have low value.  People
do need to be aware that (their!) software can be faulty and in
roughly what ways.

In 3.4 if proactive WHD is not worth the effort because the bugs
get discovered anyway when they are widely exploited what does
this say about finding vulnerabilities through their use in the
wild ? Is this more costly but better aimed at the bugs that matter ?
Are there cost-effective ways to do this reactive discovery ?  What
tools would simplify it ?

As mentioned in 8.4 the estimates of total cost bypass the incentive
to the participant.  A vendor/maintainer running his own code
is a special case because he might upgrade all his installations
before announcing a fix.


Don't worry about people stealing your ideas. If your ideas are any good,
you'll have to ram them down people's throats. --Howard Aitken

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list