oss-sec mailing list archives
Re: Open Source Tool | vPrioritization | Risk Prioritization Framework
From: "The Doctor [412/724/301/703/415/510]" <drwho () virtadpt net>
Date: Wed, 09 Sep 2020 14:49:42 +0000
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, September 8, 2020 6:03 PM, Alex Gaynor <alex.gaynor () gmail com> wrote:
Oh they have a policy. It says that systems will be patched in a timely manner. And then the kind accountants who perform the audits say, "Great policy, this is fully compliant, have an ATO and a gold star". And then
I wish I could not confirm this. In the assignments I was given, this was the rule and not the exception.
random things all over the place are not patched at all because federal IT departments have astonishly poor automation practices, extremely limited
A lot of that seems to boil down to "You want to run this random piece of software to automate the job we're paying you to do? Forget it." There is also the odd "We won't run any software that doesn't have <some number of expensive independent code audits and certifications> and what you want to do doesn't have those (even though you claim they do, we think you're lying)."
reuse of systems across distinct projects (contracts) within the agency and
Secure data erasure and platform disposal practices have something to do with this.
there is nothing approaching a comprehensive way for a federal agency to answer "did we deploy the updated struts for all of our stuff".
With a side order of "the contractors we hired for this stuff should be on top of it," even when they're not the prime on the contract anymore. The Doctor [412/724/301/703/415/510] WWW: https://drwho.virtadpt.net/ The old world is dying, and the new world struggles to be born. Now is the time of monsters.
Current thread:
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework, (continued)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Perry E. Metzger (Sep 05)
- Risk and severity vectors (was: Open Source Tool | vPrioritization | Risk Prioritization Framework) Jeremy Stanley (Sep 05)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Pramod Rana (Sep 06)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Amos Jeffries (Sep 06)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Robert Watson (Sep 06)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Perry E. Metzger (Sep 07)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Jeffrey Walton (Sep 07)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Kurt H Maier (Sep 07)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Jeffrey Walton (Sep 08)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Alex Gaynor (Sep 08)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework The Doctor [412/724/301/703/415/510] (Sep 09)
- Re: Open Source Tool | vPrioritization | Risk Prioritization Framework Perry E. Metzger (Sep 05)