Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Stats Security IT

Stop Fixing All Security Vulnerabilities, Say B-Sides Security Presenters 88

Posted by timothy from the choosing-battles dept.
PMcGovern writes "At BSidesLV in Las Vegas, Ed Bellis and Data Scientist Michael Roytman gave a talk explaining how security vulnerability statistics should be done: 'Don't fix all security issues. Fix the security issues that matter, based on statistical relevance.' They looked at 23,000,000 live vulnerabilities across 1,000,000 real assets, which belonged to 9,500 clients, to explain their thesis."
This discussion has been archived. No new comments can be posted.

Stop Fixing All Security Vulnerabilities, Say B-Sides Security Presenters More

Stop Fixing All Security Vulnerabilities, Say B-Sides Security Presenters

Comments Filter:

  • Re:erm, no? (Score:5, Informative)

    by MacTO ( 1161105 ) on Thursday August 08, 2013 @01:03PM (#44511351)

    The article is talking about fixing what you can. It simply outlines how to prioritize the issues in order to figure out what you can fix with limited resources.

  • Misleading titles all around (Score:5, Informative)

    by Samantha Wright ( 1324923 ) on Thursday August 08, 2013 @01:04PM (#44511367) Homepage Journal

    Their real point is, if you have limited resources, prioritize the vulnerabilities that are (a) currently being exploited and (b) most likely to be exploited given the habits of your favourite boogeyman. Sometimes that means not starting on vulnerabilities as soon as they come in, because you're saving your resources for the chance there's a bigger problem later. Their thesis is about saving your money and time for the most important stuff, and assumes that threats only come from lazy blackhats who prefer certain classes/types of vulnerabilities. Buried in this is the assumption that a given piece of software has an infinite number of vulnerabilities that are discovered at random.

    Statistically, what they're saying is sound if organized crime is your biggest enemy, assuming organized crime's habits don't change any time soon. It's obviously not good enough if you're concerned about, say, a malicious government organization with an absurd budget.

  • Re:djbdns (Score:5, Informative)

    by Todd Knarr ( 15451 ) on Thursday August 08, 2013 @01:22PM (#44511555) Homepage

    Attitude. Some software is written by anal-retentive paranoid cynical bastards who make sure every bit of code is iron-clad and air-tight, who take any flaw as a personal insult to be exterminated. Flaw? Forget flaw, even a slight deviation from what they've determined to be correct operation is hunted down mercilessly no matter how long it takes. Any cruft in the design, anything that's not clean and perfect, is lopped off and re-done until everything fits together correctly. If that results in a delay, so be it. The only work that's discarded is work that doesn't contribute to the correctness of the result.

    Other code is produced by people who're fine with leaving cruft and ugly bits in as long as they don't detect any errors coming from it. Rework and clean-up is fine, as long as it doesn't impact the delivery schedule.

    3 guesses which kind of developer produces which kind of software.

Slashdot Top Deals

Neutrinos have bad breadth.

Close