Stop Fixing All Security Vulnerabilities, Say B-Sides Security Presenters 88
PMcGovern writes "At BSidesLV in Las Vegas, Ed Bellis and Data Scientist Michael Roytman gave a talk explaining how security vulnerability statistics should be done: 'Don't fix all security issues. Fix the security issues that matter, based on statistical relevance.' They looked at 23,000,000 live vulnerabilities across 1,000,000 real assets, which belonged to 9,500 clients, to explain their thesis."
A better way to phrase it: (Score:4, Insightful)
Prioritize on the important vulnerabilities. But that should in no way discourage people from fixing the less important ones.
Don't let perfect become the enemy of good.
How about (Score:5, Insightful)
Important items get fixed first. Easy items usually come next. Everything else gets fixed after that.
Re: erm, no? (Score:2, Insightful)
They say stop when they mean prioritize. Theoretically, there should be some computer scientists who know how to use English.
Re:erm, no? (Score:3, Insightful)
I believe the word is 'triage'..
Re:erm, no? (Score:5, Insightful)
How about you fix what you can?
That's the fly-swatter approach - you hit the flies you can and ignore those you can't get to.
'Don't fix all security issues. Fix the security issues that matter, based on statistical relevance.'
That line reminds me of the old TQM which was run past us decades ago (and then promptly forgotten by 90% of the Franklin Planner-toting crowd), fix what really needs fixing first. I'm sure this bit of wisdom didn't require TQM to come along (you can probably find it in Hamlet if you know where to look), you fix your most grievous would first and worry about your bruises later, but we (in my department) felt rather put-upon when these TQM zombies came around and told us what a sea-change it would be for our practices and productivity when we embraced what we already knew.
Re:A better way to phrase it: (Score:5, Insightful)
If the attacker's objective is something fungible like credit-card data, then he may, indeed, shrug and move on to an easier target after his first several attacks fail. Why would he waste time on a locked door when there is probably an unlocked house next door? (Figuratively speaking, of course.)
If the attacker's motivation is specifically against *you*, say politically-motivated attacks like Anonymous makes or industrial espionage, then the bar for the defender is a lot higher because the attacker can't improve his progress toward goals by attacking someone else.
So how much effort you should expend on defense depends on your threat model.