From: Halvar Flake (halvargmx.de)
Date: Tue Dec 09 2008 - 11:21:33 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey all,

> One technique we're doing this week with a client is taking an attack
> tree and marking it up with dollar values. I.E. if you wanted to buy
> an 0day in X component, how much would it cost?
>
> This then is a simple summation to produce a "how much is it to get
> into the internal network from the internet" which the business can
> use to help them decide yay/nay on the project as a whole depending on
> their own view of the threat and the value of the information they are
> protecting.
Sounds quite reasonable. It's also one of the pro arguments for having
(public)
vulnerability markets: They provide planners with price information for
attack
tools, and thus allow more informed decisions.

Cheers,
Halvar
PS: I am not advocating unrestricted OTC vulnerability trading with this,
just pointing out that having pricing information publically available
is very
useful for planners

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]