Security Basics mailing list archives

Re: Patching

From: Alessandro Bottonelli <abottonelli () libero it>
Date: Mon, 20 Oct 2003 23:40:05 +0200

OK, so the main idea I get from the list is: a known hole is fixed and the 
others are (for the moment) unknown. Therefore, patching is a good idea.

Hmmmm. I am not convinced yet that all this makes sense from a "wider" 
security perspective. Must a vulnerability / hole be known to be a risk? 
Security risks do not all come from "out there" and "bad guys" trying to 
exploit a vulnerability. System errors, data loss may very well occur from 
holes that are very unknown (or very honest operators that make mistakes).

Once I get a very well oiled and stable infrastructure, I personally suffer 
everytime I have to disturb that balance. There's a lot of interdependability 
among the various elements of the whole system. Application X at release n.m 
needs Middleware Y at release j.k that in turn requires OS Z at release l.m 
that in turn.... everytime I touch something I feel that I have no control 
(but that could be just me) of where the ripples are going to end up to.

In such a interdependable environment, even if I assume that I have increased 
the level of security of one element by patching, I am not convinced that I 
can say I have increased the security level of the whole.

Sorry if I cannot at the moment phrase it correctly, but there is a loophole 
in the "patching is necessarly good" axiom that I cannot grasp entirely.

Hmmm, this morning caffeine is not gone yet, huh?

-- 
Alessandro Bottonelli


---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------

Current thread:

Patching Alessandro Bottonelli (Oct 20)
- RE: Patching Raoul Armfield (Oct 20)
- Re: Patching Florian Streck (Oct 20)
  - Re: Patching Meritt James (Oct 20)
    - RE: Patching Alexander Suhovey (Oct 21)
    - Re: Patching Meritt James (Oct 21)
- Re: Patching Alessandro Bottonelli (Oct 20)
  - Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
    - Re: Patching Alessandro Bottonelli (Oct 21)
    - Re: Patching Ansgar -59cobalt- Wiechers (Oct 22)
    - RE: Patching Graydon McKee (Oct 22)
  - Re: Patching gregh (Oct 21)
  - RE: Patching Raoul Armfield (Oct 21)
- <Possible follow-ups>
- Re: Patching David Lanagan (Oct 21)
- RE: Patching Erik R. Myers (Oct 21)
- RE: Patching Gunnoe, Jason (Oct 22)
- RE: Patching Tran, John (Oct 22)

(Thread continues...)