Jump to content


Should we be focusing on vulnerabilities or exploits?

  • Please log in to reply
No replies to this topic

#1 TheSentinel


    The man in the dark

  • General Admin
  • 30,396 posts

Posted 13 February 2012 - 07:54 PM

Should we be focusing on vulnerabilities or exploits?

By Ryan Naraine | February 13, 2012, 9:19am PST

Summary: Mitja Kolsek argues that there?s a hidden danger in focusing on limiting exploitability instead of exterminating vulnerabilities.

Guest editorial by Mitja Kolsek

This post was inspired by a recent ZDNet article ?Offensive security research community helping bad guys? and this ThreatPost interview after the Kaspersky security analyst summit, in which Adobe security chief Brad Arkin explains his (Adobe?s) philosophy on addressing software vulnerabilities. The crux of this philosophy can be summarized with Brad?s words: ?My goal isn?t to find and fix every security bug, I?d like to drive up the cost of writing exploits.?. Subsequently, he mentioned that offensive security researchers are?driving that cost down when they research a new technique to hack into software, write a paper and publish it to the world.?

Although the average sentiment of the comments under the ?offensive security? article was, well?, offensive, one thing is true: if the only alternative to driving up the cost of writing exploits were to find and fix every security bug, and one would have to choose between the two, the former is the logical choice - after all, it is a general consensus (or as some prefer: excuse) that you can never find all security bugs, while one can achieve demonstrable success in driving up the costs of exploitation for many vulnerabilities. (And Adobe, having introduced sandboxing to the Reader, has undoubtedly made real progress in this area.)

Read more at: