Educause Security Discussion mailing list archives
Managing Client Side Applications and Vendor "compatibility"
From: Chris Green <cmgreen () UAB EDU>
Date: Thu, 7 Feb 2008 10:52:25 -0600
Good day, One of the recurring themes I keep running into is third-party vendor "compatibility" with desktop applications. Scenario usually plays out something like: 1) Vendor Releases Software 2) Vendor Certifies Client Side App (CSA) 1.0 for use with their software 3) Security Team reads "security vulnerability in CSA 1.0, upgrade to CSA 1.1 immediately) 4) Team managing vendor relationship pushes back with "compatibility" statements There's a classic struggle between managing the risk that a computer will be exploited due to something the user follows versus the risk the vendor application breaks. How do you all handle that? I think the only real solution is to have teams responsible for testing apps and making sure the unsupported versions work acceptably and eat the cost. This is a hard solution to sell in the face of limited resources since the person funding the app often thinks the vendor is the one that should be telling them when they can upgrade CSA. Does anyone have success or horror stories on managing this problem? Thanks, Chris -- Chris Green UAB Data Security, 205-975-0842
Current thread:
- Managing Client Side Applications and Vendor "compatibility" Chris Green (Feb 07)
- <Possible follow-ups>
- Re: Managing Client Side Applications and Vendor "compatibility" Shawn Sines (Feb 07)
- Re: Managing Client Side Applications and Vendor "compatibility" Paul Keser (Feb 07)
- Re: Managing Client Side Applications and Vendor "compatibility" Shawn Sines (Feb 07)