Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Finding Security Holes a Good Idea?

Posted by michael on Friday June 11, 2004 @04:35AM from the dare-not-speak-its-name dept.

ekr writes "A lot of effort goes into finding vulnerabilities in software, but there's no real evidence that it actually improves security. I've been trying to study this problem and the results (pdf) aren't very encouraging. It doesn't look like we're making much of a dent in the overall number of vulnerabilities in the software we use. The paper was presented at the Workshop on Economics and Information Security 2004 and the slides can be found here (pdf)."

3 of 433 comments (clear)

Min score:

Reason:

Sort:

Google is teh friend by Mz6 · 2004-06-11 04:36 · Score: 5, Informative

Posting a PDF on /. is almost certain server death. Here are Google's HTML versions:
Is finding security holes a good idea?
Writing Security Considerations Sections

--
Hmmm.
Not necessarily by aussie_a · 2004-06-11 05:03 · Score: 5, Informative

if the patch breaks an application and the machine goes unpatched there is a loss in security because of potential intrusion. If the patch is applied there is a potential loss of productivity.

Not all patches are security patches. Many patches fix problems, such as the spell check function doesn't work correctly. Or some other function doesn't work correctly. These won't compromise security, but they may interfere with other programs.
Re:Uhuh. Is this good if Microsoft does this? by mangu · 2004-06-11 05:13 · Score: 5, Informative

In theory, you are right. In practice, I've been using apt-get for several years and never got in the situation you mention when patching with "stable" releases. Can't say anything about Microsoft patches, though. Never touch that stuff.