mailing list archives
Re: Getting Off the Patch
From: cpolish () surewest net
Date: Wed, 19 Jan 2011 07:08:54 -0800
Cor Rosielle wrote:
I don't agree with the statement: "From a security standpoint, patching is
better than not patching. Period.".
Sometimes patching is the right solution, often it is not. Since some asked
experiences from larger companies, here is one:
I did not know about the OSSTMM in those days. If I did, I could have
explained why patching is not always the best solution: it interferes with
your operations. And if it influences you operations, you better control it.
Not blindly execute it and install the patch using an automated update
process, but actually control it.
Here's another factor to consider: with $VENDOR's kit you can't
get support unless all the released patches are in place.
$VENDOR doesn't field the resources to support n differently
patched systems in the field; they're already coping with n
different *configurations* of their product. At our shop some
vendors are more critical re support than others so there's not
a blanket policy. Management would not be amused if $SYSTEM was
down but wasn't in a $VENDOR-supported state. This isn't
theoretical - it happened, it was ugly, it came with extended
TLDR: site patching policy is not always homogenous.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/