On 06/02/2011 15:58, Dave Aitel wrote: > So I was at a meeting last week, and one of the high ranking members > said something like this, which I'm sure you've heard before: > > Member: We've improved our communications by setting up this great > website! It allows us to communicate all our super-important and > highly confidential information. We had a marketing team put it > together so it looks really professional and nice and is easy to use. > We think this will really help our mission. Oh, and we had a friend of > a friend do a quick free security scan for us, so it's secure too. > > So here's my simple and 100% accurate metric: If you spent more on > your GUI than on your security, you don't have a secure application. > Start preparing for the PR fallout of your website getting hacked now.
I think you're using an extreme example there, but there's definitely a correlation between the relative amount of money spent on security and the overall cost of a solution. I prefer questions like "Is your source code control based on copying folders on a file server and sticking _001, _002 on the end?" and "When did you stop beating your developers?" as gauges of how bad it's going to be. -- Steve Lord Mandalorian Security Services w: http://www.mandalorian.com e: [email protected] Get the latest Information Security News at Infosec Update: http://news.mandalorian.com _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
