Is finding security holes a good idea?

Ben Laurie ben at algroup.co.uk
Mon Jun 14 10:44:12 EDT 2004


Eric Rescorla wrote:

> Cryptography readers who are also interested in systems security may be
> interested in reading my paper from the Workshop on Economics
> and Information Security '04:
> 
>     Is finding security holes a good idea?
>     
>     Eric Rescorla
>     RTFM, Inc.
> 
>     A large amount of effort is expended every year on finding and
>     patching security holes. The underlying rationale for this activity
>     is that it increases welfare by decreasing the number of bugs
>     available for discovery and exploitation by bad guys, thus reducing
>     the total cost of intrusions. Given the amount of effort expended,
>     we would expect to see noticeable results in terms of improved
>     software quality. However, our investigation does not support a
>     substantial quality improvement--the data does not allow us to
>     exclude the possibility that the rate of bug finding in any given
>     piece of software is constant over long periods of time. If there is
>     little or no quality improvement, then we have no reason to believe
>     that that the disclosure of bugs reduces the overall cost of
>     intrusions.

I don't see how that follows. If a bug is found but not disclosed, then 
it can be used for intrusion. If it is disclosed, then it cannot 
(assuming it gets fixed, of course). The fact that there are more bugs 
to be found which can _also_ be used for intrusions doesn't mean there's 
no point in fixing the hole, surely - at least the next bug has to be 
found before intrusions can occur again.

What you _may_ have shown is that there's an infinite number of bugs in 
any particularly piece of s/w. I find that hard to believe, too :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list