Re: Managing Client Side Applications and Vendor "compatibility"

[Shawn Sines <sines.22 () OSU EDU>]

Yeah, I flubbed on a response and somehow sent it to the list.. Sorry  
for the erroneous traffic.. Bad Shawn! Bad!


Shawn Sines
Information Security Outreach Specialist
Office of the CIO Information Security
------------------------------------------------------
Desk phone - (614)247-6821
sines.22 () osu edu
------------------------------------------------------
"The most dangerous thing in the world is an idea - it can't be  
killed, it can't be unlearned it can only be forgotten until it is  
rediscovered again and put to use."




On Feb 7, 2008, at 2:07 PM, Paul Keser wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> huh...I think you responded to a different thread...I hope :-)
>
> - -PaulK
>
> Paul Keser
> Assoc. Information Security Officer
> Stanford University
> 650.724.9051
> GPG Fingerprint:  DBA3 E20F CE91 28AA DA1C  4A77 3BD9 C82D 2699 24FB
>
>
> Shawn Sines wrote:
> > Greg.. some notes.
> >
> > Impacts to DNA slide - First you may want to reconsider this title..
> > maybe Impact to DNAs or Impact on DNAs. Second in the text you have a
> > bad sentence: "Users may need assistance.." there is an odd  
> > combination
> > here - to and for should be fixed.
> > Also you mention ODS Users will need the VPN client later but that is
> > not true if the network is site-to-site, so consider changing that to
> > "may" and clarifying it with a bullet or in the presentation itself.
> >
> > Shawn Sines
> > Information Security Outreach Specialist
> > Office of the CIO Information Security
> > ------------------------------------------------------
> > Desk phone - (614)247-6821
> > sines.22 () osu edu <mailto:sines.22 () osu edu>
> > ------------------------------------------------------
> > "The most dangerous thing in the world is an idea - it can't be  
> > killed,
> > it can't be unlearned it can only be forgotten until it is  
> > rediscovered
> > again and put to use."
> >
> >
> >
> >
> > On Feb 7, 2008, at 11:52 AM, Chris Green wrote:
> >
> > > Good day,
> > >
> > > One of the recurring themes I keep running into is third-party  
> > > vendor
> > > “compatibility” with desktop applications.
> > >
> > > Scenario usually plays out something like:
> > >
> > > 1)      Vendor Releases Software
> > > 2)      Vendor Certifies Client Side App (CSA) 1.0 for use with  
> > > their
> > > software
> > > 3)      Security Team reads “security vulnerability in CSA 1.0,
> > > upgrade to CSA 1.1 immediately)
> > > 4)      Team managing vendor relationship pushes back with
> > > “compatibility” statements
> > >
> > > There’s a classic struggle between managing the risk that a computer
> > > will be exploited due to something the user follows versus the risk
> > > the vendor application breaks.  How do you all handle that?
> > >
> > > I think the only real solution is to have teams responsible for
> > > testing apps and making sure the unsupported versions work  
> > > acceptably
> > > and eat the cost.   This is a hard solution to sell in the face of
> > > limited resources since the person funding the app often thinks the
> > > vendor is the one that should be telling them when they can  
> > > upgrade CSA.
> > >
> > > Does anyone have success or horror stories on managing this problem?
> > >
> > > Thanks,
> > > Chris
> > > --
> > > Chris Green
> > > UAB Data Security, 205-975-0842
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHq1b3O9nILSaZJPsRAjdaAJ42CmGJVd25Zyv18RPOXEW9KHvAUwCgocm4
> 94F937MK6psE1GRFt4NI8ZM=
> =SQvu
> -----END PGP SIGNATURE-----