Secure Coding mailing list archives
Resources to fix vulns
From: James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))
Date: Thu, 19 Jul 2007 09:45:29 -0400
I wish formulas were the solution to your question. The problem is that the answer is heavily dependent upon the background of the C-level executive. Some C-Level executives have an analytical background where their backgrounds could have been actuarial, IT, statistics, etc where they would understand intuitively that not all vulnerabilities are equal and that the solution would feel more like describing a design pattern. If your C-Level executive is a process weenie then you have to then get into prioritization and the psychology of dealing with low-hanging fruit vs severity vs occurences and so on. If you C-Level executive is perception-oriented and frequently uses the phrase "perception is reality" then your answer is simply to grab industry quotes from Gartner or similar entity... ________________________________ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of McCown, Christian M Sent: Wednesday, July 18, 2007 11:54 AM To: sc-l at securecoding.org Subject: [SC-L] Resources to fix vulns What do you tell a C-level exec in terms of h/c and time it will take to fix web app vulnerabilities discovered in a website? X number of vulnerabilities = Y h/c and Z time. Of course there's a host of factors/variables involved that could wind up looking like actuarial tables or DNA sequences (!), but what we'd like to be able to do is sum it up as an initial swag and let the app owners use it as a factor in calculating the actual time to remediate. Anyone done this or like to take a swipe? ____ Chris McCown, GSEC(Gold) Intel Corporation * (916) 377-9428 | * c.mccown at intel.com <mailto:c.mccown at intel.com> ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070719/1e820b04/attachment.html
Current thread:
- Resources to fix vulns McCown, Christian M (Jul 18)
- Resources to fix vulns ljknews (Jul 18)
- Resources to fix vulns McGovern, James F (HTSC, IT) (Jul 19)
- Resources to fix vulns ljknews (Jul 19)
- Smalltalk and other Second Class Languages McGovern, James F (HTSC, IT) (Jul 19)
- Resources to fix vulns McGovern, James F (HTSC, IT) (Jul 19)
- Resources to fix vulns McGovern, James F (HTSC, IT) (Jul 19)
- Resources to fix vulns ljknews (Jul 18)