Re: Getting Off the Patch

[Tim <tim-security () sentinelchicken org>]

> Now imagine if you can properly sandbox XYZ.net - at that point you don't
> *care* if a security patch comes out.  You can choose to only push the patches
> out to your users if a patch comes along that actually affects your site. Then
> you're only spending that 2 hours doing regression testing once every 6 or 8
> months or so. Sure, that sandboxing may take the first guy a solid man-month or
> two of time. But then he can package it, and you can then get the package,
> spend 8 or 10 hours deploying it, and after a few months you've got 2 hours per
> month back.


Yeah, sounds good in theory.  What about when vulnerabilities (and
presumably patches) come out for your "sandbox" or other security
software?  

IMO, adding more software to a system rarely results in overall
management gains.  This is because most software, including security
software, sucks.  If you find yourself patching too often, or you
can't trust that the patches won't break your environment, then you
probably need to find a software vendor that invests more in QA. 

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/