Dailydave mailing list archives
Re: Gold Builds
From: Tom Parker <tom () rooted net>
Date: Wed, 03 Dec 2003 01:26:36 +0000
At 20:31 29/11/2003, Dave Aitel wrote:
I guess, I'm still of the belief that what security consulting companies do is QA, but I think if you HAVE the pull to make your vendors do their own QA, rather than doing it for them, it's nice to push that cost (and the "risk", as an economist would say) back onto them.
lo Dave et al :> I concur that many consulting companies are, in general performing remedial QA type tasks, which really could of (well should of) been done in the initial development process; probably stating the obvious here. But isn't Information assurance, by nature a form of Quality Assurance.. your just hiring people who are (purportedly :) expert in looking at things from a specific angle. I guess Im just agreeing with your point, heh. Anyway - Over the last 12 months I've been exposed to several such "gold builds", most of which we're for desktop systems. Similarly to the scenario you described, the builds featured various bits of software, 3rd party to the OS, which are used pretty much on a daily basis, many of said applications incorporating network based services. Now, due to the sheer number of applications that are *required* to be installed on many "gold builds", the build gold build baseline projects often overrun way past their deadlines due to problems getting things even running. With a chorus of screaming upper management wondering why the project has missed deadlines and why is it now costing the firm twice the money in software engineers alone, where do you think that leaves any consideration for the security of the thing :> As for the operating system, Microsoft do indeed liaise fairly closely with larger clients who are intending on rolling out their products into a gold build, ensuring their needs are catered for; however I think its unrealistic to expect the same across the board - especially as there is often little or no choice whether you include the software in the build or not, since your cooperation already relies upon it to operate and therefore, it must be included. And unless you've been lucky enough to have a serious incident, costing the firm millions, your then arguing theoretical threat against inhibition of operational capability which, as im sure you appreciate is a fairly futile argument to have with most non-security savvy decision makers. Hope I haven't missed your point too much. Just my random 1am spam. -Tom _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Gold Builds Dave Aitel (Nov 29)
- Re: Gold Builds David Maynor (Nov 29)
- Re: Gold Builds Nexus (Nov 30)
- Re: Gold Builds Tom Parker (Dec 02)
- <Possible follow-ups>
- RE: Gold Builds Brass, Phil (ISS Atlanta) (Nov 30)
- Gold Builds Ollie (Dec 09)