Stop Fixing All Security Vulnerabilities, Say B-Sides Security Presenters

← Back to Stories (view on slashdot.org)

Stop Fixing All Security Vulnerabilities, Say B-Sides Security Presenters

Posted by timothy on Thursday August 8, 2013 @04:52AM from the choosing-battles dept.

PMcGovern writes "At BSidesLV in Las Vegas, Ed Bellis and Data Scientist Michael Roytman gave a talk explaining how security vulnerability statistics should be done: 'Don't fix all security issues. Fix the security issues that matter, based on statistical relevance.' They looked at 23,000,000 live vulnerabilities across 1,000,000 real assets, which belonged to 9,500 clients, to explain their thesis."

6 of 88 comments (clear)

Min score:

Reason:

Sort:

A better way to phrase it: by intermodal · 2013-08-08 04:57 · Score: 4, Insightful

Prioritize on the important vulnerabilities. But that should in no way discourage people from fixing the less important ones.
Don't let perfect become the enemy of good.

--
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
1. Re:A better way to phrase it: by SirGarlon · 2013-08-08 05:43 · Score: 4, Insightful
  
  If the attacker's objective is something fungible like credit-card data, then he may, indeed, shrug and move on to an easier target after his first several attacks fail. Why would he waste time on a locked door when there is probably an unlocked house next door? (Figuratively speaking, of course.)
  If the attacker's motivation is specifically against *you*, say politically-motivated attacks like Anonymous makes or industrial espionage, then the bar for the defender is a lot higher because the attacker can't improve his progress toward goals by attacking someone else.
  So how much effort you should expend on defense depends on your threat model.
  
  --
  [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
How about by Monoman · 2013-08-08 05:01 · Score: 4, Insightful

Important items get fixed first. Easy items usually come next. Everything else gets fixed after that.

--
Keep the Classic Slashdot.
Re: erm, no? by Anonymous Coward · 2013-08-08 05:09 · Score: 2, Insightful

They say stop when they mean prioritize. Theoretically, there should be some computer scientists who know how to use English.
Re:erm, no? by fustakrakich · 2013-08-08 05:16 · Score: 3, Insightful

I believe the word is 'triage'..

--
“He’s not deformed, he’s just drunk!”
Re:erm, no? by ackthpt · 2013-08-08 05:28 · Score: 4, Insightful

How about you fix what you can?
That's the fly-swatter approach - you hit the flies you can and ignore those you can't get to.

'Don't fix all security issues. Fix the security issues that matter, based on statistical relevance.'

That line reminds me of the old TQM which was run past us decades ago (and then promptly forgotten by 90% of the Franklin Planner-toting crowd), fix what really needs fixing first. I'm sure this bit of wisdom didn't require TQM to come along (you can probably find it in Hamlet if you know where to look), you fix your most grievous would first and worry about your bruises later, but we (in my department) felt rather put-upon when these TQM zombies came around and told us what a sea-change it would be for our practices and productivity when we embraced what we already knew.

--

A feeling of having made the same mistake before: Deja Foobar