Re: counter to claim made on Tenable podcast about upgrading

[Frank McClain <frank.mc.42 () gmail com>]

Well, we've all seen times when a new release creates vulnerabilities that did not previously exist; in some of these 
cases, the new ones were worse than the old ones (never mind issues of performance, stability, etc).  Rushing to adopt 
a new version without thoroughly testing first can create problems.  

Patches, I tend to view as less of an issue for adoption, especially if they're for security reasons.  If a 
vulnerability has been discovered, and the vendor is actually going to patch it, then it's probably important to at 
least seriously look at it in light of your environment.  You do have to make sure that it's not going to break some 
other functionality, while still ensuring that you're covered from the vulnerability standpoint.  If you're in a 
regulated industry, your options may be limited when external auditors discover vulnerabilities that they say you 
should have patched.

On the other hand, if you feel it's important not to immediately push out new versions or patches, I wouldn't stay too 
far behind.  Reason is, you risk the vendor no longer supporting prior versions.  I've seen some cases where it seemed 
that the vendor dropped an older version rather quickly, because the newer one had more bells and whistles.  Obviously, 
one revision behind probably isn't too far out of line.

Regards,

Frank

----- Original Message -----
From: "Robin Wood" <robin () digininja org>
To: "PaulDotCom Mailing List" <pauldotcom () mail pauldotcom com>
Sent: Sunday, January 27, 2013 10:46:50 AM
Subject: [Pauldotcom] counter to claim made on Tenable podcast about    upgrading








Hi 
I'm listening to the latest Tenable podcast and Paul was talking about making sure you upgrade to the latest version of 
apps just in case someone has an exploit for an old version which has either been deliberately, or accidentally, fixed 
in the latest version. 

I'd counter that with older versions of apps have been around longer so have had more time to probed by the good guys 
and so vulnerabilities found and then announced. The latest apps haven't yet been probed so may have new issues which 
have been introduced in the new version. 

The idea suggested of being one version behind, as mentioned, may therefore be best from this point of view as the app 
has had time to be looked over but isn't too far out of date. 

I'd agree that you should stay up-to-date but don't think this argument is the best to use. 

Robin 

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com