Is finding security holes a good idea?
Eric Rescorla: Is finding security holes a good idea?
actually analyzes the data on bug discovery. Conclusion of (the first draft of) the paper:
If finding security defects is a useful security activity, then it should
have some measurable effect on the software security defect rate. In this
paper, we have looked for such an effect and only found very weak evidence
of it. In the best case scenario we are able to make, the total defect
count has a half life of approximately 3.5 years. However, our data is
also consistent with there being no such effect at all. In either case,
the evidence that the effort being spent on bug finding is well spent
is weak.
