Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Faster, smashter.
From: Halvar Flake <halvar () gmx de>
Date: Tue, 09 Dec 2008 18:21:33 +0100

Hey all,

One technique we're doing this week with a client is taking an attack
tree and marking it up with dollar values. I.E. if you wanted to buy
an 0day in X component, how much would it cost?

This then is a simple summation to produce a "how much is it to get
into the internal network from the internet" which the business can
use to help them decide yay/nay on the project as a whole depending on
their own view of the threat and the value of the information they are
protecting.
Sounds quite reasonable. It's also one of the pro arguments for having
(public)
vulnerability markets: They provide planners with price information for
attack
tools, and thus allow more informed decisions.

Cheers,
Halvar
PS: I am not advocating unrestricted OTC vulnerability trading with this,
just pointing out that having pricing information publically available
is very
useful for planners

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]