Re: Patching

["Meritt James" <meritt_james () bah com>]

On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:
> A thought has been crossing my mind for a long time, I'd like to confront it 
> with the list.
>
> In the "old days" a patch and/or fix was defined as "something that closes a 
> known hole and opens ten unknown holes" :-) Yet, literature and common 
> practices keep saying we should maintain our systems and network appliances 
> up to date with the last patches / software releases.
>
> WHY should I feel safer that way? How can I tell Rev. 1.3 is any better 
> (security-wise) than Rev. 1.2 ? Is the cost (financial and others) of change 
> management worth it? If so, how can I measure such worthness?
> -- 
> Alessandro Bottonelli

A journey of a thousand miles starts with a single step. (10,000 -1) is
less than 10,000.  "Safer" is not "safe".

As long as you are thinking, include that in your "why" considerations.

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------