This morning, I came across the excellently written post by Pete Lindstrom "Why Bugfinding is Irresponsible and Increases Risk". As always, Pete is succinct, considered, and lays out his argument in exceptional clarity. That's not to say that I agree with the entirety of what he says - just that I think he's studying the problem in a comprehensive way, and I think his (non-mainstream) approach is thought provoking.
Pete's position is that vulnerability research - more specifically for-disclosure research ("bugfiding") - increases overall IT risk, and is therefore undesirable. I won't dispute whether it does or does not increase risk; I think we can only speculate as to what kind of relationship risk and research might or might not have. Sure, there's anecdotal evidence on both sides of the issue, but we don't have any empirical evidence - we don't have any way to test how research impacts risk - and we have a fairly equal number of smart people arguing for both sides. So, maybe it increases risk and maybe it doesn't.
However, I think debaters on both sides of this issue are somewhat guilty of security-centrism. In other words, although risk is very important as part of doing business, there are other factors to consider; security is a means, not an end. When considering the value of vulnerability research, shoudn't we also consider the broader ramifications that don't directly relate to risk? In fact, some of these broader issues are things that we can actually get some data about; for example, the economic impact on vendors and others, like the impact on overall software quality, etc.
I guess my point is, why ignore all the other potential benefits of vulnerability research because of a potential (but not necessarily definite) increase in overall IT risk? Shouldn't the discussion be broader than that?
Posted by Ed at March 27, 2006 11:33 AM