Full Disclosure mailing list archives

Re: Getting Off the Patch

From: Pete Herzog <lists () isecom org>
Date: Fri, 14 Jan 2011 19:09:54 +0100

On 1/14/2011 4:39 PM, Thor (Hammer of God) wrote:

We disagree. Patches changes code which has already been operationally and
functionally tested. This requires additional testing for each update and patch
and that takes time, money, and other resources away from other things.
Therefore no wonder when operations scale upward, the cost of security
goes exponential. It's because of all the waste.


Please share the research you have that backs up this statement.  I would be very interested in knowing the details 
that that provide the foundation for this argument.  I'm particularly interested in the cost points and 
identification of the exponential cost of security from patching and the money saved by not patching in your 
environment.

I presume that you have empirical evidence of the vast savings based on concurrent operational models in an 
enterprise environment, so I'm curious as to how many thousands of servers you are operationally responsible for, 
because that information is not only critical, but required for this model to be considered.  IOW, if you could share 
the analysis you presented to management that they bought off on, that would extremely helpful.


Maybe you misunderstood this? If you need empirical evidence that 
patches change code then please do a diff yourself between two apps, 
one patched and one not. Here I was writing of the cost of functional 
testing and remediation of the operational security which scales 
exponentially as the operations scale. One doesn't need a server farm 
to prove as more servers are introduced into an operation that the 
number of connections between them grows. 2 servers each with 1 
connection has 2. Add 2 more servers and now you have 4 servers but 8 
connections to verify. And it goes on like that. If you don't do any 
testing and don't care then you don't have that work or money to lose 
with patching. But I said that already.

-pete.

-- 
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Getting Off the Patch, (continued)
- - Re: Getting Off the Patch Pete Herzog (Jan 13)
    - Re: Getting Off the Patch Zach C (Jan 13)
    - Re: Getting Off the Patch Pete Herzog (Jan 14)
    - Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
    - Re: Getting Off the Patch phocean (Jan 14)
    - Re: Getting Off the Patch Pete Herzog (Jan 14)
    - Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
    - Re: Getting Off the Patch Christian Sciberras (Jan 14)
    - Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
    - Re: Getting Off the Patch Pete Herzog (Jan 14)
    - Re: Getting Off the Patch Pete Herzog (Jan 14)
    - Re: Getting Off the Patch phocean (Jan 14)
    - Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
    - Re: Getting Off the Patch phocean (Jan 14)
    - Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
    - Re: Getting Off the Patch phocean (Jan 14)
    - Re: Getting Off the Patch Paul Schmehl (Jan 14)
    - Re: Getting Off the Patch Pete Herzog (Jan 17)
    - Re: Getting Off the Patch phocean (Jan 17)
    - Re: Getting Off the Patch phocean (Jan 14)
    - Re: Getting Off the Patch Pete Herzog (Jan 17)

(Thread continues...)