lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <25956.1271968994@localhost>
Date: Thu, 22 Apr 2010 16:43:14 -0400
From: Valdis.Kletnieks@...edu
To: Mike Hale <eyeronic.design@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	security-basics@...urityfocus.com
Subject: Re: Compliance Is Wasted Money, Study Finds

On Wed, 21 Apr 2010 14:44:35 PDT, Mike Hale said:

> According to the paper, roughly 40% is spend on directly securing
> secrets, and another 40% is spent on compliance of some type.  They
> further suggest that half of this compliance spending is spent on
> internal compliance, and half on regulatory/external compliance.

> I find the findings completely flawed.  Am I missing something?

My reading of it is "we spent 40% actually securing it, and an equal amount
on total bullshit paperwork and checkbox-checking to "prove" we secured it,
and the paperwork and checkboxes didn't do anything to directly secure the
data".  Consider - if you spend a week talking to the auditors, that's a
week's salary spent on talking to auditors that didn't actually do squat for
the security.

Similar to if you had to get a yearly safety inspection on your car, and
you had to pay $20 to the mechanic to do the inspection (which will hopefully
actually verify your car meets the legal standards if your mechanic is honest),
but then had to spend another $20 to file the paperwork with the local
Dept of Motor Vehicles to make it official.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ