Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Getting Off the Patch
From: Pete Herzog <lists () isecom org>
Date: Mon, 17 Jan 2011 13:51:04 +0100


I can't leave that one. Seriously and with all the respect I have for
you, have you ever worked for a large company ?

Of course.

First, there are ALWAYS (we are talking about scaling organisations,
right, not about startups) SEVERAL environments for critical
applications. Not for patching, but for coding, testing, validating and
producing. Each platform can be used for testing the patches. Patch
management doesn't involve additional cost here. It is just the way
production environments work.

I agree that patching is not the largest part of an infrastructure but 
unfortunately, it's one that many organizations rely on for security. 
You can't deny that. I'm glad yours doesn't so maybe it doesn't matter 
to you. And what about the smaller organizations that don't have 
multiple environments or do their own coding? The article was written 
to a broad audience. Like many are. How many times have you read an 
article and realized it doesn't apply to you or someone in your 
situation? Do you go on the attack for all of them? We both know that 
there are situations where patching is the means of security for many 
organizations. I want to see that changed and one of the things they 
hate is the chore of patching and patch remediation.

Second, companies using critical applications and serious about their
users and environments don't care about the cost of a few more servers
if ever it was required.

That's a fallacious argument because there's no win. If I prove 
otherwise you tell me their not "serious".

I am aware one can find tons of counter examples of big companies
failing in having such processes, but it is an organization problem. Not
a patch management one.

Sorry if me trying to help find solutions for those companies bothers 
you so much. Please feel free to ignore my future posts and future 
work then so as not to waste your time.


Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]