Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Getting Off the Patch
From: Tim <tim-security () sentinelchicken org>
Date: Tue, 11 Jan 2011 10:48:51 -0800

Now imagine if you can properly sandbox XYZ.net - at that point you don't
*care* if a security patch comes out.  You can choose to only push the patches
out to your users if a patch comes along that actually affects your site. Then
you're only spending that 2 hours doing regression testing once every 6 or 8
months or so. Sure, that sandboxing may take the first guy a solid man-month or
two of time. But then he can package it, and you can then get the package,
spend 8 or 10 hours deploying it, and after a few months you've got 2 hours per
month back.


Yeah, sounds good in theory.  What about when vulnerabilities (and
presumably patches) come out for your "sandbox" or other security
software?  

IMO, adding more software to a system rarely results in overall
management gains.  This is because most software, including security
software, sucks.  If you find yourself patching too often, or you
can't trust that the patches won't break your environment, then you
probably need to find a software vendor that invests more in QA. 

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]