Dailydave mailing list archives
Re: Gold Builds
From: David Maynor <dave () 0dayspray com>
Date: Sat, 29 Nov 2003 16:17:34 -0500
On Sat, 2003-11-29 at 15:31, Dave Aitel wrote:
This dilbert is security-industry aware! http://www.comics.com/comics/dilbert/archive/images/dilbert2003111108929.gif
Are you suggesting that security companies create problems? I would never believe it.
Now, with bobsbagoffish.com, that's fine. What's a small or medium sized company going to do except use off-the-shelf parts? They just want to know how bad off they are. But with a larger client, the end goal should be, I think, to get the client to change their process to force their vendors to have third-party reviews of their components before they get included in Gold Builds. Otherwise you may have built your entire system on a vendor's products, before realizing they are completely impossible to secure. I think it's a compelling thing to say "Listen, we'd love to include your product in our Base Build, perhaps get a site license? But before we do, we need to see a stamp of approval from one of these four companies." Likewise, when deploying a giant web application, it often makes sense to QA the third-party components of it before you QA your entire finished product. In this case I also think a "stamp of approval" is a good thing, since you can have your vendors get one while you're in your planning process, which gives them time to fix their bugs by the time you go live.
I have to agree with you. I use to work for a large company that built our their webservers ontop of base builds from a hardware vendor. When they got around to build their own image to ghost every incoming machine with still included vendor utilities for hardware diag that were remotely accessible. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Gold Builds Dave Aitel (Nov 29)
- Re: Gold Builds David Maynor (Nov 29)
- Re: Gold Builds Nexus (Nov 30)
- Re: Gold Builds Tom Parker (Dec 02)
- <Possible follow-ups>
- RE: Gold Builds Brass, Phil (ISS Atlanta) (Nov 30)
- Gold Builds Ollie (Dec 09)