---

Security Focus: Closing the Window of Exposure: Reflections on the Future of Security

“Every season yields a bumper crop of computer security stories:
break-ins, new vulnerabilities, new products. But this season has
also given us a crop of stories about computer security philosophy.
There has been a resurgence in opposition to the full disclosure
movement: the theory that states that publishing vulnerabilities is
the best way to fix them. In response, defenders of the movement
have published their rebuttals. And even more experts have weighed
in with opinions on the DeCSS case, where a New York judge ruled
that distributing an attack tool is illegal.”

What’s interesting is that everybody wants the same thing;
they’re just disagreeing about the best way to get there.

“When a security vulnerability exists in a product, it creates
what I call a window of exposure. This window exists until the
vulnerability is patched, and that patch is installed. The shape of
this window depends on how many people can exploit this
vulnerability, and how fast it is patched. What everyone wants is
to make this window as small as possible.”


Complete Story