Are security bugs different from ordinary bugs? This is a relevant question to follow Ross Anderson’s talk. On balance I would claim that they are, not for a technical but for a social reason. Consider a paradigmatic "ordinary" bug, such as a library that wrongly calculates the square root of 2, while apparently doing everything else right. After a certain amount of hilarity the community response would be either to use a different library, or, more likely, to avoid taking the square root of 2. If a security bug is found in a system there is a community of people who make it their personal priority to make the wrong behavior happen, typically in other people’s computers. This must affect any kind of statistical analysis.
Download the paper in PDF format here.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.