Security Basics mailing list archives
Re: Patching
From: Alessandro Bottonelli <abottonelli () libero it>
Date: Mon, 20 Oct 2003 23:40:05 +0200
OK, so the main idea I get from the list is: a known hole is fixed and the others are (for the moment) unknown. Therefore, patching is a good idea. Hmmmm. I am not convinced yet that all this makes sense from a "wider" security perspective. Must a vulnerability / hole be known to be a risk? Security risks do not all come from "out there" and "bad guys" trying to exploit a vulnerability. System errors, data loss may very well occur from holes that are very unknown (or very honest operators that make mistakes). Once I get a very well oiled and stable infrastructure, I personally suffer everytime I have to disturb that balance. There's a lot of interdependability among the various elements of the whole system. Application X at release n.m needs Middleware Y at release j.k that in turn requires OS Z at release l.m that in turn.... everytime I touch something I feel that I have no control (but that could be just me) of where the ripples are going to end up to. In such a interdependable environment, even if I assume that I have increased the level of security of one element by patching, I am not convinced that I can say I have increased the security level of the whole. Sorry if I cannot at the moment phrase it correctly, but there is a loophole in the "patching is necessarly good" axiom that I cannot grasp entirely. Hmmm, this morning caffeine is not gone yet, huh? -- Alessandro Bottonelli --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- Patching Alessandro Bottonelli (Oct 20)
- RE: Patching Raoul Armfield (Oct 20)
- Re: Patching Florian Streck (Oct 20)
- Re: Patching Meritt James (Oct 20)
- RE: Patching Alexander Suhovey (Oct 21)
- Re: Patching Meritt James (Oct 21)
- Re: Patching Meritt James (Oct 20)
- Re: Patching Alessandro Bottonelli (Oct 20)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
- Re: Patching Alessandro Bottonelli (Oct 21)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 22)
- RE: Patching Graydon McKee (Oct 22)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
- <Possible follow-ups>
- Re: Patching David Lanagan (Oct 21)
- RE: Patching Erik R. Myers (Oct 21)
- RE: Patching Gunnoe, Jason (Oct 22)
- RE: Patching Tran, John (Oct 22)