“Conditional complexity” (also called cyclomatic complexity) is a term used to measure the complexity of software. The term refers to the number of possible paths through a program function; a higher value means higher maintenance and testing costs.
Borrowing that concept in risk modeling, we can apply conditional complexity when calculating the risk severity of security vulnerabilities by evaluating the preconditions necessary for a vulnerability to be exploited.
When doing a security assessment recently, I came across an ugly vulnerability. An attacker who exploited this vulnerability would be able to hijack a victim’s session and impersonate that victim on the system. That sort of thing is generally undesirable.
Business owners typically don’t want something like that to happen, so a knee-jerk reaction is to fix this issue immediately and at all costs. But when is it time to sound the alarm?
The thing is, this particular problem really wasn’t that bad. Sure, the impact to the business would certainly be bad, but it likely wouldn’t happen. To understand why the sky wasn’t falling, let’s take a step back and look at what risk and risk management are.