Educause Security Discussion mailing list archives
Re: Managing Client Side Applications and Vendor "compatibility"
From: Shawn Sines <sines.22 () OSU EDU>
Date: Thu, 7 Feb 2008 13:19:41 -0500
Greg.. some notes.Impacts to DNA slide - First you may want to reconsider this title.. maybe Impact to DNAs or Impact on DNAs. Second in the text you have a bad sentence: "Users may need assistance.." there is an odd combination here - to and for should be fixed. Also you mention ODS Users will need the VPN client later but that is not true if the network is site-to-site, so consider changing that to "may" and clarifying it with a bullet or in the presentation itself.
Shawn Sines Information Security Outreach Specialist Office of the CIO Information Security ------------------------------------------------------ Desk phone - (614)247-6821 sines.22 () osu edu ------------------------------------------------------"The most dangerous thing in the world is an idea - it can't be killed, it can't be unlearned it can only be forgotten until it is rediscovered again and put to use."
On Feb 7, 2008, at 11:52 AM, Chris Green wrote:
Good day,One of the recurring themes I keep running into is third-party vendor “compatibility” with desktop applications.Scenario usually plays out something like: 1) Vendor Releases Software2) Vendor Certifies Client Side App (CSA) 1.0 for use with their software 3) Security Team reads “security vulnerability in CSA 1.0, upgrade to CSA 1.1 immediately) 4) Team managing vendor relationship pushes back with “compatibility” statementsThere’s a classic struggle between managing the risk that a computer will be exploited due to something the user follows versus the risk the vendor application breaks. How do you all handle that?I think the only real solution is to have teams responsible for testing apps and making sure the unsupported versions work acceptably and eat the cost. This is a hard solution to sell in the face of limited resources since the person funding the app often thinks the vendor is the one that should be telling them when they can upgrade CSA.Does anyone have success or horror stories on managing this problem? Thanks, Chris -- Chris Green UAB Data Security, 205-975-0842
Current thread:
- Managing Client Side Applications and Vendor "compatibility" Chris Green (Feb 07)
- <Possible follow-ups>
- Re: Managing Client Side Applications and Vendor "compatibility" Shawn Sines (Feb 07)
- Re: Managing Client Side Applications and Vendor "compatibility" Paul Keser (Feb 07)
- Re: Managing Client Side Applications and Vendor "compatibility" Shawn Sines (Feb 07)