Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200905054704.1d90da6a@jabberwock.cb.piermont.com>
Date: Sat, 5 Sep 2020 05:47:04 -0400
From: "Perry E. Metzger" <perry@...rmont.com>
To: Pramod Rana <varchashva@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Open Source Tool | vPrioritization | Risk
 Prioritization Framework

[Perhaps somewhat off topic, but the original announcement felt a bit
tangental as well.]

On Thu, 3 Sep 2020 20:13:34 +0530 Pramod Rana <varchashva@...il.com>
wrote:
> It is no secret that today we have more vulnerabilities than we can
> assess and remediate, timely and comprehensively. Risk
> prioritization is a key component for any vulnerability management
> program.

I'm not sure I agree with this premise.

1. It is entirely feasible to keep even a very large organization
comprehensively patched. There are organizations that do that.
2. It is not feasible to calculate a probability of exploitation of a
given vulnerability, and it is not feasible to determine how bad the
damage from exploitation will be. This is a classic example of "tail
risk" where probability distributions are simply not calculable by
normal methods.

I keep hearing people in the security industry speak about scientific
risk assessment as though it were possible. I don't think it's
possible, and it seems cheaper to simply patch than to do some sort
of scientific assessment and prioritization of patches.

My gut reaction is that the growth of this idea is attributable
to the large number of large, well-funded organizations that are
none the less not capable of properly maintaining their own
infrastructure and thus not capable of patching in a timely manner.
(I have consulted to many such organizations.)

The notion that some sort of "risk analytics" could therefore justify
failing to patch quickly and give a rationale for maintaining an
incapable systems management team is thus attractive. However, the
real solution is simply to patch; a capable systems management team is
better than the illusion of a risk calculation system, and provides
far more benefits than simply maintaining infrastructure in a fully
patched state.

Perry
-- 
Perry E. Metzger		perry@...rmont.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.