On Jan 11, 10:00am, Marcus J. Ranum wrote:
******DELETIA********
> I suspect, but I don't know, that Tsutomu would probably
> say something similar. The game of securing systems is correctly
> balancing risks against technical responses to risk. If you can
> convince yourself the risks are low, then the technical responses
> required are also low.
>
> If you don't take the time to figure out what's at stake
> you can't produce a measured, appropriate response.
Truer words ne'er were passed on this list.
We spend so much time in the administrivia of 'mine is {bigger|faster|better}
than yours' than we do in the 'what is the risk of providing a service, what
is the analysis of the threat, and what is the level of security that we can
live with to provide our customers (remember them???) a reasonable service
in an auditable manner..."
If you don't know what the objective is, it is pretty hard to design a system
to help you get there.
Just my $.02
--
Bryan D. Boyle | EMAIL: bdboyle @
erenj .
com 908-730-3338
#include <disclaimer> | http://www.access.digex.net/~bdboyle/index.html
"It is only the ignorant who suppose themselves omniscient."
--General Robert Edward Lee--
References:
|
|
