Dailydave mailing list archives
Re: Faster, smashter.
From: Halvar Flake <halvar () gmx de>
Date: Tue, 09 Dec 2008 18:21:33 +0100
Hey all,
One technique we're doing this week with a client is taking an attack tree and marking it up with dollar values. I.E. if you wanted to buy an 0day in X component, how much would it cost? This then is a simple summation to produce a "how much is it to get into the internal network from the internet" which the business can use to help them decide yay/nay on the project as a whole depending on their own view of the threat and the value of the information they are protecting.
Sounds quite reasonable. It's also one of the pro arguments for having (public) vulnerability markets: They provide planners with price information for attack tools, and thus allow more informed decisions. Cheers, Halvar PS: I am not advocating unrestricted OTC vulnerability trading with this, just pointing out that having pricing information publically available is very useful for planners _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Faster, smashter. Dave Aitel (Dec 08)
- Re: Faster, smashter. Fisher, Dennis (Dec 08)
- Re: Faster, smashter. Dragos Ruiu (Dec 08)
- Re: Faster, smashter. Halvar Flake (Dec 09)
- Re: Faster, smashter. Dave Aitel (Dec 09)
- Re: Faster, smashter. Rafal @ IsHackingYou.com (Dec 09)
- Re: Faster, smashter. dan (Dec 09)
- Re: Faster, smashter. Marc Maiffret (Dec 10)
- Re: Faster, smashter. Dragos Ruiu (Dec 08)
- Re: Faster, smashter. Halvar Flake (Dec 09)
- Re: Faster, smashter. security curmudgeon (Dec 09)
- Re: Faster, smashter. Jon Passki (Dec 09)
- Re: Faster, smashter. Fisher, Dennis (Dec 08)