Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Adam Shostack <adam () homeport org>
Date: Wed, 9 Apr 2003 22:14:51 -0400
On Wed, Apr 09, 2003 at 08:44:45PM -0400, Marcus J. Ranum wrote: | It's an across the board problem. I think there's enough blame to go around, | honestly. :) ... | not professionalism. Managers have to demand it, and have to support their | engineers in taking the extra time to use the tools and follow the procedures | to write rock-solid code. And they have to be able to help control executive's | expectations as to schedules. Everyone, across the board, has to do their | job right. So do the customers. At the end of the day, its the customers, who need to have a good reason to care about security, and good assurance that their spending has an effect. There's an argument to be made that customers are in fact making the *right* decisions about their security spending. After all, only one company, to my knowledge, has gone out of business as a result of the failure of their security systems. But worse, try quantifying the effect of security spending: Manager: "Is this system secure?" Expert: "heck no! Let me explain how I'd break in." Manager: "Ok, what do we need to spend to fix that?" Expert: "How much you got? Ok, that'll do for a start." Manager: "Ok, we just spent a million bucks. Is this system secure?" Expert: "heck no! Let me explain how I'd break in." Expert: "heck no! Let me explain how I'd break in." The rational manager doesn't spend money like that. When we start to quantify the effect of security spending, we might start to see more of it. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: tunnel vs open a hole, (continued)
- RE: tunnel vs open a hole Dave Piscitello (Apr 08)
- RE: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole Bill Royds (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Dave Piscitello (Apr 10)
- Re: tunnel vs open a hole Adam Shostack (Apr 09)
- Re: tunnel vs open a hole Mike Frantzen (Apr 10)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Duncan Sharp (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 16)
- Re: tunnel vs open a hole Magosányi Árpád (Apr 11)