Patch system in the works

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0325/news-patch-03-25-02.asp

By Diane Frank 
March 25, 2002

The General Services Administration expects to award a contract today
to a team led by Science Applications International Corp. to set up a
governmentwide system to notify agencies about security holes in
commercial software products and the availability of patches to fix
them.

The security patch dissemination system is seen as critical to the
security of government operations. People who create computer viruses
or hack into Web sites frequently do so by exploiting small flaws in
operating systems or applications.

In many cases, security patches — small blocks of code — are available
online from vendors or popular security organizations, but agencies
often do not know about, seek or apply patches until it is too late.

The $1.5 million, one-year task order expected to be awarded via the
GSA Safeguard contract will enable agencies to get notification about
patches from commercial software vendors for systems on their
networks.

"This will help agencies correct what, to me, is one of the largest
problems that exists," said Sallie McDonald, GSA's assistant
commissioner for information assurance and critical infrastructure
protection.

Agency officials whom GSA's Federal Computer Incident Response Center
(FedCIRC) talked to last week were "very excited" about the award,
McDonald said.

Security officials at the Office of Management and Budget and other
federal organizations have encouraged agencies to address the patch
problem. However, they admit that most systems administrators are
simply overwhelmed by the number of patches issued for their own
systems, much less those for systems they do not even use.

Using the new system, administrators will be able to provide SAIC and
its subcontractor, Vigilinx Inc., with a profile of their network
systems, McDonald said. This will ensure that they receive only the
patches that apply to their systems.

The system, hosted on the FedCIRC Web site, will give systems
administrators a single point for all patches, said Gene Hunt,
corporate vice president of SAIC's system security and engineering
operation. The SAIC team will provide patches and test whether they
actually work, he said.

The team also will use the system to alert subscribers about potential
vulnerabilities and, when possible, tell them what steps they can take
to address problems before a patch is available. Once a patch is
available, the SAIC team will notify subscribers, test the patch, then
tell subscribers it is available via download.

The system also will improve security management by listing for
managers the available patches and which ones their systems
administrators have downloaded, Hunt said. When a patch is downloaded,
the system also will automatically send an e-mail to FedCIRC, he said.

SAIC will start marketing the service to agencies this week, and it
should be fully operational in June, McDonald said. GSA is paying for
the full cost of the system and service, so it is free for agencies.

"It's really going to help them do their jobs better," she said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.