mailing list archives
Re: Getting Off the Patch
From: Pete Herzog <lists () isecom org>
Date: Mon, 17 Jan 2011 13:51:04 +0100
I can't leave that one. Seriously and with all the respect I have for
you, have you ever worked for a large company ?
First, there are ALWAYS (we are talking about scaling organisations,
right, not about startups) SEVERAL environments for critical
applications. Not for patching, but for coding, testing, validating and
producing. Each platform can be used for testing the patches. Patch
management doesn't involve additional cost here. It is just the way
production environments work.
I agree that patching is not the largest part of an infrastructure but
unfortunately, it's one that many organizations rely on for security.
You can't deny that. I'm glad yours doesn't so maybe it doesn't matter
to you. And what about the smaller organizations that don't have
multiple environments or do their own coding? The article was written
to a broad audience. Like many are. How many times have you read an
article and realized it doesn't apply to you or someone in your
situation? Do you go on the attack for all of them? We both know that
there are situations where patching is the means of security for many
organizations. I want to see that changed and one of the things they
hate is the chore of patching and patch remediation.
Second, companies using critical applications and serious about their
users and environments don't care about the cost of a few more servers
if ever it was required.
That's a fallacious argument because there's no win. If I prove
otherwise you tell me their not "serious".
I am aware one can find tons of counter examples of big companies
failing in having such processes, but it is an organization problem. Not
a patch management one.
Sorry if me trying to help find solutions for those companies bothers
you so much. Please feel free to ignore my future posts and future
work then so as not to waste your time.
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/