lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3af3d47c1002120537w60dacf48g6d3f2e87fc468507@mail.gmail.com>
Date: Fri, 12 Feb 2010 14:37:25 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Valdis.Kletnieks@...edu
Cc: "McGhee, Eddie" <Eddie.McGhee@....com>,
	craig.wright@...ormation-defense.com,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	security-basics@...urityfocus.com,
	"Thor \(Hammer of God\)" <Thor@...merofgod.com>
Subject: Re: Risk measurements

Let's presume 100k was spent on risk modeling, which actually is way
less then the norm, where was the gain again?
Why exactly does the flaws have to be fixed economically instead of
designing the system correctly in the first place?
And on this same argument, why spend a huge amount of time (money and
resources) *guessing flaws* rather then correct system function?

"why are you spending $250,000 extra to fix the flaw?"
Because the estimate is abviously wrong. You cannot predict the full
outcome which brings the sum from the least possible number up to
infinitum.
For instance, let's imagine a flaw in your favourite OS happens to
allow any hacker backdoor access to it, there's the possibility of it
being covered up neatly, with just paying your developers OR getting a
nice load of media hype and pay dearly with losing your customers.
Personally, I'd rather not do risk modeling at all, or at least, keep
the information within reasonable bounds rather then let it reign my
(hypotethical) company.

Kind regards,
Christian Sciberras.






On Fri, Feb 12, 2010 at 1:31 PM,  <Valdis.Kletnieks@...edu> wrote:
> On Fri, 12 Feb 2010 13:09:55 +0100, Christian Sciberras said:
>
>> There's a time for finding fancy interesting numbers and a time to get
>> the system going with the least flaws possible.
>
> You don't want "the least flaws possible".  We can get very close to zero
> flaws per thousand lines of code - but the result ends up costing hundreds
> of dollars per line.  You want "the most economical number of flaws" - if
> you get it down to 10 flaws, and the next flaw will cost you $750,000 to fix,
> but you estimate your loss as $500,000 if you don't fix it and get hacked,
> why are you spending $250,000 extra to fix the flaw?
>
>> Why should any entity bother with risk modeling if it is not used at all?
>> Here's the real question to the subject; What does risk modeling fix?
>
> Risk modeling is what tells you the flaw will cost $500K to not fix.
> And since you totally screw the pooch if you got it wrong and not fixing
> it costs $1M, people like to do a good job of risk modelling.
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ