Full Disclosure mailing list archives
Re: Getting Off the Patch
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 14 Jan 2011 09:20:59 -0800
However, I'll go one more- if you find your patches breaking too often or too many things, then stop patching and find an alternative.
If security patches break your installation, then I assert that the solution is the same: find a new vendor. In the early days Microsoft found this out the hard way... they used to package feature changes with security patches. This commonly broke peoples' installations, so they finally got a clue and started fixing just what was broken. Now the majority of their patches can be applied with a pretty low error rate. Contrast this to the problems that "security" software causes even outside of adding vulnerabilities to the system (*cough* McAfee+XPSP3 *cough*). How much do you suppose that disaster cost the entire US economy in terms of labor lost? Now many folks might be thinking "oh sure, easy for you to say that I just find a new vendor, but that's not up to me". Of course, it is easy to say it and hard to implement. But if you follow the bouncing ball on this argument, you'll realize that the next step is to find a way to show the decision makers within your organization how much you are spending on doing the QA that your software vendors should have done from the beginning. CISOs should be working with decision makers to help them understand the likely cost of security maintenance associated with software purchases. And ultimately IT organizations should be holding software vendors liable for their low quality of product. Yes, the EULAs all say you can't do this, but in reality there's always a leverage point one way or another. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Getting Off the Patch Pete Herzog (Jan 11)
- Re: Getting Off the Patch Zach C (Jan 11)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 11)
- Re: Getting Off the Patch Tim (Jan 11)
- Re: Getting Off the Patch Pete Herzog (Jan 13)
- Re: Getting Off the Patch Tim (Jan 14)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 11)
- Re: Getting Off the Patch Zach C (Jan 11)
- Re: Getting Off the Patch Pete Herzog (Jan 13)
- Re: Getting Off the Patch Zach C (Jan 13)
- Re: Getting Off the Patch Pete Herzog (Jan 14)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
- Re: Getting Off the Patch phocean (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 14)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
- Re: Getting Off the Patch Christian Sciberras (Jan 14)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 14)