tag:blogger.com,1999:blog-13756280.post3710697760680304394..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Website Vulnerability Assessments: Good, Fast, or Cheap - Pick TwoJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-13756280.post-42598218498723904732010-08-10T10:35:24.101-07:002010-08-10T10:35:24.101-07:00My 2*10^-2 cents...
Good = Breadth * Depth
We can...My 2*10^-2 cents...<br /><br />Good = Breadth * Depth<br />We can gain in breadth either by allocating more time or more money. <br />But. We cannot gain in depth by allocating more time. We need to allocate money. I.e. a tool or a man that cannot perform specific kind of analysis wont be able to overcome its limitations just because of a longer run :)Anonymoushttps://www.blogger.com/profile/10803765980668812597noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-72732613862594222222010-08-05T12:49:24.166-07:002010-08-05T12:49:24.166-07:00You're right in summarizing that those three e...You're right in summarizing that those three elements are the essential tension. But I believe there's a key component missing from that summary. One important reason for having on-staff InfoSec practitioners is to create a situation where you CAN have all three.<br /><br />As we refine our processes and learn more about our customers the objective should be to get faster, better and cheaper. My goal, as a InfoSec provider to my employer, is to give them all three legs as well as possible.<br /><br />While the tension between those three aspects won't go away, by getting better at our processes we can deliver high quality products in a short time for an affordable cost.<br /><br />Just my two cents...<br /><br />Robb Reck<br />www.robbreck.com/blog<br />www.twitter.com/robbreckRobbReckhttps://www.blogger.com/profile/04231399987628835223noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-78248742114887777702010-08-05T11:20:51.828-07:002010-08-05T11:20:51.828-07:00@Sherif: can't have all three, simply impossib...@Sherif: can't have all three, simply impossible -- unless you define the terms to your benefit. When it comes down to it, the business really has to decide precisely HOW good, HOW fast, and HOW cheap they need to be. Or least we need to provide them their options.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-37298322395822830582010-08-05T10:53:18.613-07:002010-08-05T10:53:18.613-07:00I agree, getting down to business requirements and...I agree, getting down to business requirements and fast pace rhythm, it DOES boil down to fast, cheap and good. It is funny because I was thinking about a similar topic a couple of month ago and I ended up with a conclusion that in order for security to really penetrate into software development life cycle the three has to be available? Would we get there one day? :)Sherif Koussahttp://www.softwaresecured.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-30067678910922899152010-08-03T19:26:42.197-07:002010-08-03T19:26:42.197-07:00Jeremiah there was a good song once that was title...Jeremiah there was a good song once that was titled "two out of three ain't bad", the same applies here I think.alan shimelhttp://www.ashimmy.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-665027341844696202010-08-03T16:11:20.303-07:002010-08-03T16:11:20.303-07:00@Anonymous: The great thing about having a blog is...@Anonymous: The great thing about having a blog is that I can start off with one opinion and collect insight from others.<br /><br />"good, cheap, pick any one".... you might in fact be right upon further reflection. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-718378778581147442010-08-03T16:06:26.484-07:002010-08-03T16:06:26.484-07:00Really? You think it's possible to get both &...Really? You think it's possible to get both "good" and "cheap"? I'm skeptical.<br /><br />I suspect it's not "good, fast, cheap, pick any two"; I suspect it's "good, cheap, pick any one".Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18853607956812579782010-08-03T12:31:37.773-07:002010-08-03T12:31:37.773-07:00I think you may be overoptimistic in allowing to p...I think you may be overoptimistic in allowing to pick TWO. Fast enough to meet the QA terms that you elucidate isn't enough time to learn the application sufficiently. And, no matter what, a top-tier scanner isn't cheap, in my book.<br /><br />You can definitely manage fast and cheap, so that's where the industry settled.Calandalehttps://www.blogger.com/profile/15785315083937042946noreply@blogger.com