The value of vulnerabilities


One of the things that I really love about information security is the large number of different technologies involved. With personal computers alone, there are all sorts of architectures, operating systems, devices, and protocols to learn about. There's never a shortage of information to digest. It's hard to maintain a balance between knowing a little bit about everything, and understanding some specific things at a very deep level.

When it comes to vulnerabilities, there is already a large spectrum of understanding associated with them. From a high level, that understanding may simply be about what technologies are affected and what the exploitation results are. In contrast, if you get down to the lowest level, as a researcher you can explore the vulnerability in gruesome detail - how exactly the vulnerable code was found, and how the issue can be exploited. At this level, there's even a big difference between knowing how to exploit a vulnerability and actually exploiting it. And of course there is some middle ground between the high level view and the view a researcher might have. This middle ground might enable people to implement technical mitigations for the issue, and otherwise understand the vulnerability at a level deep enough to pinpoint and protect against the attack vector associated with the vulnerability - even if these people might not understand the intricate technical details themselves. The value of vulnerabilities

Linked by shanmuga Wednesday, 8th March 2006 6:24AM