Secure Coding mailing list archives
web apps are homogenous?
From: jammer at weak.org (Jon McClintock)
Date: Wed, 24 Feb 2010 22:56:06 -0800
On Wed, Feb 24, 2010 at 10:46:56AM -0500, Paco Hope wrote:
I don't think "webness" conveys any more homogeneity than, say "windowsness" or "linuxness." What part of being a web application provides homogeneity in a way that makes patching cheaper?
In a word, control. Let's compare two different organizations: a commercial software development company, and a web commerce company. They both develop software, but how the software is deployed and managed is widely different. Commercial software is created by one party, and consumed by multiple other parties. Those parties may run it in widely different operating environments, with different network, software and harware configurations. They may be running old versions of the software, or using it in novel ways. If the commercial software development company has to patch a vulnerability, they need to first determine which releases of the software need to be patched, develop and test a patch for each supported version, test it across the plethora different configurations their customers may be running, develop release notes and a security advisory, make the patch available, and support their customers while they are patching. For a web commerce company, however, the picture is entirely different. While their production fleet may comprise hundreds, or even thousands, of servers, they're likely all running the exact same software and configuration, using a configuration management system to deploy the website software and keep it in sync. If the web commerce company identifies a vulnerability in their website, they can debug the running stack, create a fix, test it against an exact replica of the production stack, and use automated tools to deploy the patch to their entire fleet in one operation. -Jon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <http://krvw.com/pipermail/sc-l/attachments/20100224/4398b128/attachment.pgp>
Current thread:
- seeking hard numbers of bug fixes... Benjamin Tomhave (Feb 22)
- seeking hard numbers of bug fixes... Jeremy Epstein (Feb 22)
- seeking hard numbers of bug fixes... Jon McClintock (Feb 23)
- web apps are homogenous? Paco Hope (Feb 24)
- web apps are homogenous? Jon McClintock (Feb 24)
- web apps are homogenous? Benjamin Tomhave (Feb 25)
- web apps are homogenous? Chris Wysopal (Feb 26)
- seeking hard numbers of bug fixes... Jon McClintock (Feb 23)
- seeking hard numbers of bug fixes... Jeremy Epstein (Feb 22)
- seeking hard numbers of bug fixes... Benjamin Tomhave (Feb 22)