Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Risk measurements
From: Valdis.Kletnieks () vt edu
Date: Fri, 12 Feb 2010 07:31:23 -0500

On Fri, 12 Feb 2010 13:09:55 +0100, Christian Sciberras said:

There's a time for finding fancy interesting numbers and a time to get
the system going with the least flaws possible.

You don't want "the least flaws possible".  We can get very close to zero
flaws per thousand lines of code - but the result ends up costing hundreds
of dollars per line.  You want "the most economical number of flaws" - if
you get it down to 10 flaws, and the next flaw will cost you $750,000 to fix,
but you estimate your loss as $500,000 if you don't fix it and get hacked,
why are you spending $250,000 extra to fix the flaw?

Why should any entity bother with risk modeling if it is not used at all?
Here's the real question to the subject; What does risk modeling fix?

Risk modeling is what tells you the flaw will cost $500K to not fix.
And since you totally screw the pooch if you got it wrong and not fixing
it costs $1M, people like to do a good job of risk modelling.

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]