Full Disclosure mailing list archives
Re: Getting Off the Patch
From: Pete Herzog <lists () isecom org>
Date: Mon, 17 Jan 2011 13:51:04 +0100
Phocean,
I can't leave that one. Seriously and with all the respect I have for you, have you ever worked for a large company ?
Of course.
First, there are ALWAYS (we are talking about scaling organisations, right, not about startups) SEVERAL environments for critical applications. Not for patching, but for coding, testing, validating and producing. Each platform can be used for testing the patches. Patch management doesn't involve additional cost here. It is just the way production environments work.
I agree that patching is not the largest part of an infrastructure but unfortunately, it's one that many organizations rely on for security. You can't deny that. I'm glad yours doesn't so maybe it doesn't matter to you. And what about the smaller organizations that don't have multiple environments or do their own coding? The article was written to a broad audience. Like many are. How many times have you read an article and realized it doesn't apply to you or someone in your situation? Do you go on the attack for all of them? We both know that there are situations where patching is the means of security for many organizations. I want to see that changed and one of the things they hate is the chore of patching and patch remediation.
Second, companies using critical applications and serious about their users and environments don't care about the cost of a few more servers if ever it was required.
That's a fallacious argument because there's no win. If I prove otherwise you tell me their not "serious".
I am aware one can find tons of counter examples of big companies failing in having such processes, but it is an organization problem. Not a patch management one.
Sorry if me trying to help find solutions for those companies bothers you so much. Please feel free to ignore my future posts and future work then so as not to waste your time. Sincerely, -pete. -- Pete Herzog - Managing Director - pete () isecom org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.badpeopleproject.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Getting Off the Patch, (continued)
- Re: Getting Off the Patch Christian Sciberras (Jan 14)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 14)
- Re: Getting Off the Patch phocean (Jan 14)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
- Re: Getting Off the Patch phocean (Jan 14)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
- Re: Getting Off the Patch phocean (Jan 14)
- Re: Getting Off the Patch Paul Schmehl (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 17)
- Re: Getting Off the Patch phocean (Jan 17)
- Re: Getting Off the Patch phocean (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 17)
- Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 14)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
- Re: Getting Off the Patch Zach C (Jan 14)
- Re: Getting Off the Patch Thor (Hammer of God) (Jan 14)
- Re: Getting Off the Patch Pete Herzog (Jan 17)