lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110111184851.GC2148@sentinelchicken.org>
Date: Tue, 11 Jan 2011 10:48:51 -0800
From: Tim <tim-security@...tinelchicken.org>
To: Valdis.Kletnieks@...edu
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"lists@...com.org" <lists@...com.org>
Subject: Re: Getting Off the Patch

> Now imagine if you can properly sandbox XYZ.net - at that point you don't
> *care* if a security patch comes out.  You can choose to only push the patches
> out to your users if a patch comes along that actually affects your site. Then
> you're only spending that 2 hours doing regression testing once every 6 or 8
> months or so. Sure, that sandboxing may take the first guy a solid man-month or
> two of time. But then he can package it, and you can then get the package,
> spend 8 or 10 hours deploying it, and after a few months you've got 2 hours per
> month back.


Yeah, sounds good in theory.  What about when vulnerabilities (and
presumably patches) come out for your "sandbox" or other security
software?  

IMO, adding more software to a system rarely results in overall
management gains.  This is because most software, including security
software, sucks.  If you find yourself patching too often, or you
can't trust that the patches won't break your environment, then you
probably need to find a software vendor that invests more in QA. 

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ