Hi Valdis, I understand you and Tom.
On Sun, Aug 19, 2012 at 11:29 AM, <[email protected]> wrote: > On Sat, 18 Aug 2012 12:17:40 -0400, Jeffrey Walton said: >> On Fri, Aug 17, 2012 at 12:43 AM, Tomas L. Byrnes <[email protected]> wrote: >> > Ignoring risk is a perfectly valid way of managing it, if the return of >> > putting the resources into the risky endeavor exceed the costs of >> > putting them into managing the risk. >> I know its common practice, but I respectfully disagree. Its been my >> experience that most problems can be solved correctly from an >> engineering standpoint. > > Reading comprehension fail. Tomas's point is that yes, often there *is* an > engineering solution. But if you invest $250K in an engineering solution for > a > problem that only risks $100K loss, you're being stupid. At that point, just > making a note that you have a potential $100K liability and getting on with > your life *is* the proper way to manage that risk. I agree that's the way its done in practice. Here's my "devil's advocate" view (from experience). A software development team drives requirements and design for an account management package, and comes up with a crummy, insecure solution. (Developer driven software is some of the worst software I have ever seen). Now, say a bank uses the solution. They send it through a security review and find its full of holes and should not be used. The bank will say: on one hand, it will cost us 10's of thousands of dollars and months of time to design and implement this server software correctly. In the months that pass, we will loose 100's of thaousands per month because we lack the feature (customers will go to another bank). However, it will cost us 50 cents per customer to send out the data breach letter if something goes wrong. Later, the server software is breached and 1,000,000 customers have their names, addresses, and social security numbers stolen. It costs the bank 500,000 to mail letters. Meanwhile, 1,000,000 people could endure a lifetime of msery because it was cheaper for the bank to allow the breach to happen. I work in this area (security architectures and reviews), and I'm the guy who points out the defects in the systems. When I fail a system, it goes on to risk acceptance. As I said, risk acceptance is a pervision to justify use of unfit and defective systems. It only benefits the folks who want to to use the system, often in the persuit of money; and sacrifices the folks who are part of a system. Often, the unsuspecting souls don't realize they are even part of a defective system. Jeff _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
