Security Basics mailing list archives
Re: Patching
From: "Meritt James" <meritt_james () bah com>
Date: Tue, 21 Oct 2003 12:41:25 -0400
Called "doing your job". If things were trivial and automatic then things would be. They are not, hence the profession. Alexander Suhovey wrote:
IMO the point of Alessandro's message is that fixes introduce *new* holes so your formula should be corrected to: 10,000 - 1 + n, where n>0. The question is if n<1 :) Al. -----Original Message----- From: Meritt James [mailto:meritt_james () bah com] Sent: Tuesday, October 21, 2003 12:38 AM To: security-basics () securityfocus com Subject: Re: Patching On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:A thought has been crossing my mind for a long time, I'd like to confront it with the list. In the "old days" a patch and/or fix was defined as "something that closes a known hole and opens ten unknown holes" :-) Yet, literature and common practices keep saying we should maintain our systems and networkappliancesup to date with the last patches / software releases. WHY should I feel safer that way? How can I tell Rev. 1.3 is any better (security-wise) than Rev. 1.2 ? Is the cost (financial and others) ofchangemanagement worth it? If so, how can I measure such worthness? -- Alessandro BottonelliA journey of a thousand miles starts with a single step. (10,000 -1) is less than 10,000. "Safer" is not "safe". As long as you are thinking, include that in your "why" considerations. -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
-- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021 ----------------------------------------------------------------------------
Current thread:
- Patching Alessandro Bottonelli (Oct 20)
- RE: Patching Raoul Armfield (Oct 20)
- Re: Patching Florian Streck (Oct 20)
- Re: Patching Meritt James (Oct 20)
- RE: Patching Alexander Suhovey (Oct 21)
- Re: Patching Meritt James (Oct 21)
- Re: Patching Meritt James (Oct 20)
- Re: Patching Alessandro Bottonelli (Oct 20)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
- Re: Patching Alessandro Bottonelli (Oct 21)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 22)
- RE: Patching Graydon McKee (Oct 22)
- Re: Patching Ansgar -59cobalt- Wiechers (Oct 21)
- <Possible follow-ups>
- Re: Patching David Lanagan (Oct 21)
- RE: Patching Erik R. Myers (Oct 21)
- RE: Patching Gunnoe, Jason (Oct 22)