Security impact ratings considered harmful
Jeff Arnold, Tim Abbott, Waseem Daher, Gregory Price, Nelson Elhage,, Geoffrey Thomas, Anders Kaseorg
TL;DR
This paper challenges the practice of ranking OS updates by security impact, showing that such rankings can increase risk and advocating for update technologies that enable timely distribution of all updates.
Contribution
It provides evidence that prioritizing security impact ratings can be harmful and proposes a shift towards update mechanisms that support timely, comprehensive updates.
Findings
Ranking updates by security importance can increase system risk.
Current practices may delay critical updates, exposing systems to vulnerabilities.
Advocates for update technologies enabling all OS bug fixes to be distributed promptly.
Abstract
In this paper, we question the common practice of assigning security impact ratings to OS updates. Specifically, we present evidence that ranking updates by their perceived security importance, in order to defer applying some updates, exposes systems to significant risk. We argue that OS vendors and security groups should not focus on security updates to the detriment of other updates, but should instead seek update technologies that make it feasible to distribute updates for all disclosed OS bugs in a timely manner.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Malware Detection Techniques · Security and Verification in Computing · Software System Performance and Reliability