Full Disclosure mailing list archives
Re: Getting Off the Patch
From: Tim <tim-security () sentinelchicken org>
Date: Tue, 11 Jan 2011 10:48:51 -0800
Now imagine if you can properly sandbox XYZ.net - at that point you don't *care* if a security patch comes out. You can choose to only push the patches out to your users if a patch comes along that actually affects your site. Then you're only spending that 2 hours doing regression testing once every 6 or 8 months or so. Sure, that sandboxing may take the first guy a solid man-month or two of time. But then he can package it, and you can then get the package, spend 8 or 10 hours deploying it, and after a few months you've got 2 hours per month back.
Yeah, sounds good in theory. What about when vulnerabilities (and presumably patches) come out for your "sandbox" or other security software? IMO, adding more software to a system rarely results in overall management gains. This is because most software, including security software, sucks. If you find yourself patching too often, or you can't trust that the patches won't break your environment, then you probably need to find a software vendor that invests more in QA. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Getting Off the Patch Pete Herzog (Jan 11)
- Re: Getting Off the Patch Zach C (Jan 11)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 11)
- Re: Getting Off the Patch Tim (Jan 11)
- Re: Getting Off the Patch Pete Herzog (Jan 13)
- Re: Getting Off the Patch Tim (Jan 14)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 11)
- Re: Getting Off the Patch Zach C (Jan 11)
- Re: Getting Off the Patch Pete Herzog (Jan 13)
- Re: Getting Off the Patch Zach C (Jan 13)
- Re: Getting Off the Patch Pete Herzog (Jan 14)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
- Re: Getting Off the Patch phocean (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 14)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
- Re: Getting Off the Patch Christian Sciberras (Jan 14)