[dbsec] Re: When is a security bug not a security bug?
- From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
- To: <dbsec@xxxxxxxxxxxxx>
- Date: Thu, 17 Nov 2005 15:45:51 -0000
Hey Chris,
> There's a common misunderstanding about vulnerabilities -
> security folks and managerial statistics weenies tend to
> believe that you can create a comprehensive list of security bugs.
Snip...
Related to this is the whole question of risk rating for security flaws. How
do you quantify the risk for a flaw that leads to a Denial of Service? For a
small town library's database server the risk is probably low - but for a
banking system that processes millions of dollars of transactions an hour
the risk would be critical. Only those responsible for the system can
accurately make risk assessment and it begs the question as to whether
"security advisories" should carry a risk rating at all.
Cheers,
David
- References:
- [dbsec] When is a security bug not a security bug?
- From: Chris Anley
Other related posts:
- » [dbsec] When is a security bug not a security bug?
- » [dbsec] Re: When is a security bug not a security bug?
- [dbsec] When is a security bug not a security bug?
- From: Chris Anley