At the OWASP conference there were two interesting measures reported:
1) MS person reported that MS SDLC changes twice a year, if the security team finds a security improvement to the SDLC that could have addressed 5 MSRC bugs then it gets included in the next version of the SDLC. This seems like a very adaptive way to evolve your SDLC over time through a collaboration of security and software developers.
2) Another person from a large bank reported they were seeing 250-750k/month in phishing attacks, they introduced 2 factor authN and it went to zero (so far...)
Two factor authentication? Depending on the solution they chose, it is probably costing them 10 times per month for the token (or whatever they are using) than it did to just eat the phish.
Posted by: Pat | May 31, 2006 at 03:23 AM
To the contrary, they were dealing with 250k-750k phishing attacks/month. According to them it has already paid for itself. 2 factor can also take advantage of existing infrastructure in some cases.
Posted by: Gunnar | May 31, 2006 at 03:27 AM