Opinion

FUD Watch | Good and Bad in the 'Security Researcher Circus'

Bill Brenner says Linux kernel creator Linus Torvalds is understandably annoyed with the circus atmosphere of vulnerability disclosure. But flaw finders deserve some credit for bringing order to the process.

By Bill Brenner, Senior Editor

In the final analysis, security professionals should be able to pay attention to flaw reports, separate the hype from the issues worth addressing, and act accordingly. Dismissing everything that comes from the research community runs you the risk of missing important information that directly affects your company and customers. Paying too much attention to the rock star imagery and eccentricities of this community can be a distraction from more important things.

The lesson is the same as it ever was: Security pros should keep an eye out for important flaw findings for the sake of due diligence and to make sure they're deploying their defenses properly. But they should also remember that a majority of the flaws will be of little danger if they rely on a layered defense.

That's what IT admins and hackers alike have told me time and again.

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.

Other stories by Bill Brenner

• Email
• Print
• Comments
• Digg This
• SlashDot

• The Vulnerability Disclosure Game: Are We More Secure?
• Software Vulnerability Disclosure: The Chilling Effect
• Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'
• Internet Bug Fix Spawns Hacker Backlash
• Torvalds: Fed Up With The 'Security Circus'