Re: Getting Off the Patch

[Tim <tim-security () sentinelchicken org>]

> However, I'll go one more- if you find your patches breaking
> too often or too many things, then stop patching and find an
> alternative.

If security patches break your installation, then I assert that the
solution is the same: find a new vendor.  In the early days Microsoft
found this out the hard way... they used to package feature changes
with security patches.  This commonly broke peoples' installations, so
they finally got a clue and started fixing just what was broken.  Now
the majority of their patches can be applied with a pretty low error
rate.

Contrast this to the problems that "security" software causes even
outside of adding vulnerabilities to the system (*cough* McAfee+XPSP3
*cough*).   How much do you suppose that disaster cost the entire US
economy in terms of labor lost?

Now many folks might be thinking "oh sure, easy for you to say that I
just find a new vendor, but that's not up to me".  Of course, it is
easy to say it and hard to implement.  But if you follow the bouncing
ball on this argument, you'll realize that the next step is to find a
way to show the decision makers within your organization how much you
are spending on doing the QA that your software vendors should have
done from the beginning.  CISOs should be working with decision makers
to help them understand the likely cost of security maintenance
associated with software purchases.

And ultimately IT organizations should be holding software vendors
liable for their low quality of product.   Yes, the EULAs all say you
can't do this, but in reality there's always a leverage point one way
or another.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/