| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <24199.1265977883@localhost>
Date: Fri, 12 Feb 2010 07:31:23 -0500
From: Valdis.Kletnieks@...edu
To: Christian Sciberras <uuf6429@...il.com>
Cc: "McGhee, Eddie" <Eddie.McGhee@....com>,
craig.wright@...ormation-defense.com,
full-disclosure <full-disclosure@...ts.grok.org.uk>,
security-basics@...urityfocus.com,
"Thor \(Hammer of God\)" <Thor@...merofgod.com>
Subject: Re: Risk measurements
On Fri, 12 Feb 2010 13:09:55 +0100, Christian Sciberras said:
> There's a time for finding fancy interesting numbers and a time to get
> the system going with the least flaws possible.
You don't want "the least flaws possible". We can get very close to zero
flaws per thousand lines of code - but the result ends up costing hundreds
of dollars per line. You want "the most economical number of flaws" - if
you get it down to 10 flaws, and the next flaw will cost you $750,000 to fix,
but you estimate your loss as $500,000 if you don't fix it and get hacked,
why are you spending $250,000 extra to fix the flaw?
> Why should any entity bother with risk modeling if it is not used at all?
> Here's the real question to the subject; What does risk modeling fix?
Risk modeling is what tells you the flaw will cost $500K to not fix.
And since you totally screw the pooch if you got it wrong and not fixing
it costs $1M, people like to do a good job of risk modelling.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists