| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200512062131.jB6LVPxS002586@turing-police.cc.vt.edu> Date: Tue Dec 6 21:31:35 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Commercial pressure as a threat to security On Tue, 06 Dec 2005 07:55:55 PST, Daniel Sichel said: > Anyhow, Jason summed this up elegantly and succinctly. Is anybody > addressing this problem with cheap software a small business can afford, > even to test just the basics? Plenty of people. Lots of people. Probably 80% or more of the people making an actual living at the white hat side of security, in fact. But if I were to actually *mention* anything that sounded like "unclued people who just know how to do a basic pen test and can't 1337-hax0r a box by hand", I'd start another flame-fest. ;) No, those people won't save you from getting pwned by a uber-leet ninja hacker, because they'll only test all the obvious simple stuff. On the other hand, it's even more embarrassing to get pwned by a script kiddie using a 3 year old exploit because you didn't even check the obvious simple stuff. And there's a lot more script kiddies out there than uber-leet ninja hackers, and the uber-leet ninja hackers are probably busy elsewhere. Yes, it's a business decision: You can spend $500 doing enough security to stop 98% of the potential attackers, or spend gazillions to stop them *all*. At some point, you have to decide "We've probably made it hard enough to attack that the script kiddies can't get in, and the ninjas will hopefully go elsewhere with a better effort/payback ratio". And then be prepared to be wrong, just like you hopefully prepared to be wrong regarding your defenses against earthquakes, floods, and other unlikely to happen things... I haven't looked at the CISSP, but I bet this concept of business trade-offs is one of the things a CISSP is supposed to understand. It certainly isn't something I've seen much signs of understanding from the crowd that's proud they don't have a CISSP. And if nothing else, even if your security needs say you should bring in a talented guy to really pound the net into submission, you should *STILL* hire the clueless idiot, first - if for no other reason than it's better to be paying the idiot $50/hour to find all the stupid-ass mistakes you made, than paying the expert $250/hour to find all the stupid-ass mistakes, and then another $250/ hour to do the more in-depth checking. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051206/2e074ff2/attachment.bin
Powered by blists - more mailing lists