Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Risk Calculator when not applying oracle CPU's
        
(Message started by: Pete Finnigan on Nov 26^th, 2007, 11:40am)

Title: Risk Calculator when not applying oracle CPU's
Post by Pete Finnigan on Nov 26^th, 2007, 11:40am

Hello,

anybody else tried the "Common Vulnerability Scoring System Version 2 Calculator" (http://nvd.nist.gov/cvss.cfm?calculator&version=2) together with Oracle Critical Patch Update - October 2007 document found on http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html ?

I need to find a more mathematical way to talk to businesses and dbas about the risks of not applying oracle critical patch updates..

Kind regards,
Andre van Winssen

Title: Re: Risk Calculator when not applying oracle CPU's
Post by Pete Finnigan on Nov 28^th, 2007, 9:23am

Hi Andre,

Thanks for your question, its a really good one and in some ways reminds me of Cary and Jeff's performance book that concentrates on measuring performance improvements before they are made.

If this is possible, and I am not convinced it is unless there is some easy way to calculate the cost of the value of the data to the business and then apply the risk factor to that to give a probability of loss? - is this the sort of thing you mean?

I wrote about the CVSS2 in a blog post - http://www.petefinnigan.com/weblog/archives/00001109.htm and of particular note was Steve Kost's comment on this subject and the link to his paper on the same.

Please let us know if you find anymore, hopefully Steve may have more and may comment.

cheers

Pete