Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes)

[Pete Herzog <lists () isecom org>]

> Dave, I can't agree with this at all.  Not handling the low end (patch
> management to fix known bugs) is essential.  

Patch management is a fancy word for "add-on support for a problem product"
which is the electronic version of a recall.  Basic defenses are removal
from or elimination of a threat (separation).  Next step up could be
controlling the classes of threats through things like authentication,
confidentiality, etc.  Management processes, like patch management, is
still another step up where after you've already defined your defenses, you
still have some services which you could neither remove nor control from a
class of threats. Those exposed services you need to make sure are running
the best they can.  Here, patch management is the least (read lazy) you can
do. It means you do it because you can wash your hands of it and say, hey,
I patched.  But it's not essential unless it's only covering your ass
that's essential.  If you need security and not just compliance, then those
exposed services better be inspected and tested by the Vuln Research team
to find the stuff the developer didn't.  Because after all, it's your stuff
out there and just waiting for them to find bugs and patch them is really
not gonna do it for those who need it.

-pete.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave