Is Finding Security Holes a Good Idea?

ekr writes "A lot of effort goes into finding vulnerabilities in software, but there's no real evidence that it actually improves security. I've been trying to study this problem and the results (pdf) aren't very encouraging. It doesn't look like we're making much of a dent in the overall number of vulnerabilities in the software we use. The paper was presented at the Workshop on Economics and Information Security 2004 and the slides can be found here (pdf)."

No it's a bad idea

[gelfling]

Better we should make the code writers and vendors liable when their crappy code fucks up. Better we should push the system beyond its limits until it crashes down and it becomes clear that no one at any point in recognizable history ever gave a shit about quality design with security built in.

We really don't need 432 different kinds of web servers all of which basically suck shit. We need maybe 10 that are reliable. We need the equivalent of a fucking comet to strike the IT Yucatan penninsula so we can kill off this evolutionary tree and start over.