|
||
Title: Risk Calculator when not applying oracle CPU's Post by Pete Finnigan on Nov 26th, 2007, 11:40am Hello, anybody else tried the "Common Vulnerability Scoring System Version 2 Calculator" (http://nvd.nist.gov/cvss.cfm?calculator&version=2) together with Oracle Critical Patch Update - October 2007 document found on http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html ? I need to find a more mathematical way to talk to businesses and dbas about the risks of not applying oracle critical patch updates.. Kind regards, Andre van Winssen |
||
Title: Re: Risk Calculator when not applying oracle CPU's Post by Pete Finnigan on Nov 28th, 2007, 9:23am Hi Andre, Thanks for your question, its a really good one and in some ways reminds me of Cary and Jeff's performance book that concentrates on measuring performance improvements before they are made. If this is possible, and I am not convinced it is unless there is some easy way to calculate the cost of the value of the data to the business and then apply the risk factor to that to give a probability of loss? - is this the sort of thing you mean? I wrote about the CVSS2 in a blog post - http://www.petefinnigan.com/weblog/archives/00001109.htm and of particular note was Steve Kost's comment on this subject and the link to his paper on the same. Please let us know if you find anymore, hopefully Steve may have more and may comment. cheers Pete |
||
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |