Educause Security Discussion mailing list archives
Re: Managing Client Side Applications and Vendor "compatibility"
From: Paul Keser <pkeser () STANFORD EDU>
Date: Thu, 7 Feb 2008 11:07:35 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 huh...I think you responded to a different thread...I hope :-) - -PaulK Paul Keser Assoc. Information Security Officer Stanford University 650.724.9051 GPG Fingerprint: DBA3 E20F CE91 28AA DA1C 4A77 3BD9 C82D 2699 24FB Shawn Sines wrote:
Greg.. some notes. Impacts to DNA slide - First you may want to reconsider this title.. maybe Impact to DNAs or Impact on DNAs. Second in the text you have a bad sentence: "Users may need assistance.." there is an odd combination here - to and for should be fixed. Also you mention ODS Users will need the VPN client later but that is not true if the network is site-to-site, so consider changing that to "may" and clarifying it with a bullet or in the presentation itself. Shawn Sines Information Security Outreach Specialist Office of the CIO Information Security ------------------------------------------------------ Desk phone - (614)247-6821 sines.22 () osu edu <mailto:sines.22 () osu edu> ------------------------------------------------------ "The most dangerous thing in the world is an idea - it can't be killed, it can't be unlearned it can only be forgotten until it is rediscovered again and put to use." On Feb 7, 2008, at 11:52 AM, Chris Green wrote:Good day, One of the recurring themes I keep running into is third-party vendor “compatibility” with desktop applications. Scenario usually plays out something like: 1) Vendor Releases Software 2) Vendor Certifies Client Side App (CSA) 1.0 for use with their software 3) Security Team reads “security vulnerability in CSA 1.0, upgrade to CSA 1.1 immediately) 4) Team managing vendor relationship pushes back with “compatibility” statements There’s a classic struggle between managing the risk that a computer will be exploited due to something the user follows versus the risk the vendor application breaks. How do you all handle that? I think the only real solution is to have teams responsible for testing apps and making sure the unsupported versions work acceptably and eat the cost. This is a hard solution to sell in the face of limited resources since the person funding the app often thinks the vendor is the one that should be telling them when they can upgrade CSA. Does anyone have success or horror stories on managing this problem? Thanks, Chris -- Chris Green UAB Data Security, 205-975-0842
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHq1b3O9nILSaZJPsRAjdaAJ42CmGJVd25Zyv18RPOXEW9KHvAUwCgocm4 94F937MK6psE1GRFt4NI8ZM= =SQvu -----END PGP SIGNATURE-----
Current thread:
- Managing Client Side Applications and Vendor "compatibility" Chris Green (Feb 07)
- <Possible follow-ups>
- Re: Managing Client Side Applications and Vendor "compatibility" Shawn Sines (Feb 07)
- Re: Managing Client Side Applications and Vendor "compatibility" Paul Keser (Feb 07)
- Re: Managing Client Side Applications and Vendor "compatibility" Shawn Sines (Feb 07)