mailing list archives
Re: Faster, smashter.
From: Halvar Flake <halvar () gmx de>
Date: Tue, 09 Dec 2008 18:21:33 +0100
One technique we're doing this week with a client is taking an attack
tree and marking it up with dollar values. I.E. if you wanted to buy
an 0day in X component, how much would it cost?
This then is a simple summation to produce a "how much is it to get
into the internal network from the internet" which the business can
use to help them decide yay/nay on the project as a whole depending on
their own view of the threat and the value of the information they are
Sounds quite reasonable. It's also one of the pro arguments for having
vulnerability markets: They provide planners with price information for
tools, and thus allow more informed decisions.
PS: I am not advocating unrestricted OTC vulnerability trading with this,
just pointing out that having pricing information publically available
useful for planners
Dailydave mailing list
Dailydave () lists immunitysec com
Re: Faster, smashter. rauc (Dec 09)