Re: More offensive security metrics and you

[dan () geer org]

dave writes:
-+----------
 | <snip>
 | 
 | I know there's a long list of these sorts of things, and when you have
 | 80% of them, you can't get kicked out. Essentially, you'll have found
 | strategic operational flaws that transcend any point-fixes the company
 | may be able to put into place.
 | 



Actually, it is a worthwhile goal to describe the
tipping point of a penetration, the moment when,
as you say, the penetrator can no longer be kicked
out.

I'm sure you'd like the catalog of what that takes,
and you've begun it.  Keep at the effort, please.
I'm more interested in the rate constant -- how long
does it take to reach the tipping point, is that
time rising or falling, and is self-optimising
automation feasible?  I'm (more than) happy to
measure "time" in something synthetic like clock
cycles, function calls, number of training rounds,
etc.  I just want to know the first and second
derivatives.  Nothing much...

--dan

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave