Security Basics mailing list archives

Re: Patching

From: "Meritt James" <meritt_james () bah com>
Date: Tue, 21 Oct 2003 12:41:25 -0400

Called "doing your job".  If things were trivial and automatic then
things would be.  They are not, hence the profession.

Alexander Suhovey wrote:


IMO the point of Alessandro's message is that fixes introduce *new* holes so
your formula should be corrected to:
10,000 - 1 + n, where n>0.  The question is if n<1 :)

Al.

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com]
Sent: Tuesday, October 21, 2003 12:38 AM
To: security-basics () securityfocus com
Subject: Re: Patching

On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:

A thought has been crossing my mind for a long time, I'd like to
confront it
with the list.

In the "old days" a patch and/or fix was defined as "something that
closes a
known hole and opens ten unknown holes" :-) Yet, literature and common
practices keep saying we should maintain our systems and network

appliances

up to date with the last patches / software releases.

WHY should I feel safer that way? How can I tell Rev. 1.3 is any
better
(security-wise) than Rev. 1.2 ? Is the cost (financial and others) of

change

management worth it? If so, how can I measure such worthness?
--
Alessandro Bottonelli


A journey of a thousand miles starts with a single step. (10,000 -1) is less
than 10,000.  "Safer" is not "safe".

As long as you are thinking, include that in your "why" considerations.

--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------


-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------

Current thread:

Patching Alessandro Bottonelli (Oct 20)
- RE: Patching Raoul Armfield (Oct 20)
- Re: Patching Florian Streck (Oct 20)
  - Re: Patching Meritt James (Oct 20)
    - RE: Patching Alexander Suhovey (Oct 21)
    - Re: Patching Meritt James (Oct 21)
- Re: Patching Alessandro Bottonelli (Oct 20)
  - Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
    - Re: Patching Alessandro Bottonelli (Oct 21)
    - Re: Patching Ansgar -59cobalt- Wiechers (Oct 22)
    - RE: Patching Graydon McKee (Oct 22)
  - Re: Patching gregh (Oct 21)
  - RE: Patching Raoul Armfield (Oct 21)
- <Possible follow-ups>
- Re: Patching David Lanagan (Oct 21)
- RE: Patching Erik R. Myers (Oct 21)
- RE: Patching Gunnoe, Jason (Oct 22)

(Thread continues...)