Dailydave mailing list archives

Re: Faster, smashter.

From: Halvar Flake <halvar () gmx de>
Date: Tue, 09 Dec 2008 18:21:33 +0100

Hey all,

One technique we're doing this week with a client is taking an attack
tree and marking it up with dollar values. I.E. if you wanted to buy
an 0day in X component, how much would it cost?

This then is a simple summation to produce a "how much is it to get
into the internal network from the internet" which the business can
use to help them decide yay/nay on the project as a whole depending on
their own view of the threat and the value of the information they are
protecting.

Sounds quite reasonable. It's also one of the pro arguments for having
(public)
vulnerability markets: They provide planners with price information for
attack
tools, and thus allow more informed decisions.

Cheers,
Halvar
PS: I am not advocating unrestricted OTC vulnerability trading with this,
just pointing out that having pricing information publically available
is very
useful for planners

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Faster, smashter. Dave Aitel (Dec 08)
- Re: Faster, smashter. Fisher, Dennis (Dec 08)
  - Re: Faster, smashter. Dragos Ruiu (Dec 08)
    - Re: Faster, smashter. Halvar Flake (Dec 09)
    - Re: Faster, smashter. Dave Aitel (Dec 09)
    - Re: Faster, smashter. Rafal @ IsHackingYou.com (Dec 09)
    - Re: Faster, smashter. dan (Dec 09)
    - Re: Faster, smashter. Marc Maiffret (Dec 10)
    - Re: Faster, smashter. Halvar Flake (Dec 09)
    - Re: Faster, smashter. security curmudgeon (Dec 09)
    - Re: Faster, smashter. Jon Passki (Dec 09)
- Re: Faster, smashter. rauc (Dec 08)