Re: Gold Builds

[David Maynor <dave () 0dayspray com>]

On Sat, 2003-11-29 at 15:31, Dave Aitel wrote:
> This dilbert is security-industry aware!
> http://www.comics.com/comics/dilbert/archive/images/dilbert2003111108929.gif
Are you suggesting that security companies create problems? I would
never believe it.

> Now, with bobsbagoffish.com, that's fine. What's a small or medium sized 
> company going to do except use off-the-shelf parts? They just want to 
> know how bad off they are. But with a larger client, the end goal should 
> be, I think, to get the client to change their process to force their 
> vendors to have third-party reviews of their components before they get 
> included in Gold Builds. Otherwise you may have built your entire system 
> on a vendor's products, before realizing they are completely impossible 
> to secure. I think it's a compelling thing to say "Listen, we'd love to 
> include your product in our Base Build, perhaps get a site license? But 
> before we do, we need to see a stamp of approval from one of these four 
> companies." Likewise, when deploying a giant web application, it often 
> makes sense to QA the third-party components of it before you QA your 
> entire finished product. In this case I also think a "stamp of approval" 
> is a good thing, since you can have your vendors get one while you're in 
> your planning process, which gives them time to fix their bugs by the 
> time you go live.
I have to agree with you. I use to work for a large company that built
our their webservers ontop of base builds from a hardware vendor. When
they got around to build their own image to ghost every incoming machine
with still included vendor utilities for hardware diag that were
remotely accessible. 


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave