Re: "Perspective: Wresting free from a software straitjacket"

[Florian Weimer <fw () deneb enyo de>]

* Paul Vixie:

> ...
>
> "This backward methodology to security is inefficient and exceedingly
> expensive. To keep valuable assets protected, IT staffers must constantly
> track software vulnerability databases in order to stay one step ahead of the
> bad guys.  Each vendor patch release leads to an IT fire drill of testing and
> remediating all vulnerable systems.  It is estimated that fixing software
> security problems in production environments can be more than 100 times more
> costly than doing so in the development cycle."
>
> ...
>
> http://news.com.com/2010-1002_3-6139456.html?part=rss&tag=2547-1_3-0-5

Is the "100 times" part really correct?  Can you confirm the factor
for BIND? 8-)

It seems to me that you need a holistic viewpoint to reach that
factor.  Distributed patching is fairly cheap for vendors.  And it
seems that it doesn't matter from an end user perspective if you need
to patch 10 or 100 or 1000 bugs per year, as long as the vendor packs
as many bug fixes as possible into a single update which is released
in a somewhat predictable manner.  The step from 0 to 1 can be quite
noticeable, though, especially if you didn't plan for patching at all.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.