[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Getting Off the Patch

To: phocean <0x90@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Getting Off the Patch
From: Pete Herzog <lists@xxxxxxxxxx>
Date: Mon, 17 Jan 2011 13:51:04 +0100

Phocean,

> I can't leave that one. Seriously and with all the respect I have for
> you, have you ever worked for a large company ?

Of course.

>
> First, there are ALWAYS (we are talking about scaling organisations,
> right, not about startups) SEVERAL environments for critical
> applications. Not for patching, but for coding, testing, validating and
> producing. Each platform can be used for testing the patches. Patch
> management doesn't involve additional cost here. It is just the way
> production environments work.

I agree that patching is not the largest part of an infrastructure but 
unfortunately, it's one that many organizations rely on for security. 
You can't deny that. I'm glad yours doesn't so maybe it doesn't matter 
to you. And what about the smaller organizations that don't have 
multiple environments or do their own coding? The article was written 
to a broad audience. Like many are. How many times have you read an 
article and realized it doesn't apply to you or someone in your 
situation? Do you go on the attack for all of them? We both know that 
there are situations where patching is the means of security for many 
organizations. I want to see that changed and one of the things they 
hate is the chore of patching and patch remediation.

>
> Second, companies using critical applications and serious about their
> users and environments don't care about the cost of a few more servers
> if ever it was required.

That's a fallacious argument because there's no win. If I prove 
otherwise you tell me their not "serious".

>
> I am aware one can find tons of counter examples of big companies
> failing in having such processes, but it is an organization problem. Not
> a patch management one.

Sorry if me trying to help find solutions for those companies bothers 
you so much. Please feel free to ignore my future posts and future 
work then so as not to waste your time.

Sincerely,
-pete.

-- 
Pete Herzog - Managing Director - pete@xxxxxxxxxx
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Getting Off the Patch
  - From: phocean

References:
- [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Zach C
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: phocean
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: phocean

Prev by Date: Re: [Full-disclosure] Getting Off the Patch
Next by Date: Re: [Full-disclosure] Dancho Danchev gone missing in Bulgaria
Previous by thread: Re: [Full-disclosure] Getting Off the Patch
Next by thread: Re: [Full-disclosure] Getting Off the Patch
Index(es):
- Date
- Thread