| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Jan 2011 10:48:51 -0800 From: Tim <tim-security@...tinelchicken.org> To: Valdis.Kletnieks@...edu Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "lists@...com.org" <lists@...com.org> Subject: Re: Getting Off the Patch > Now imagine if you can properly sandbox XYZ.net - at that point you don't > *care* if a security patch comes out. You can choose to only push the patches > out to your users if a patch comes along that actually affects your site. Then > you're only spending that 2 hours doing regression testing once every 6 or 8 > months or so. Sure, that sandboxing may take the first guy a solid man-month or > two of time. But then he can package it, and you can then get the package, > spend 8 or 10 hours deploying it, and after a few months you've got 2 hours per > month back. Yeah, sounds good in theory. What about when vulnerabilities (and presumably patches) come out for your "sandbox" or other security software? IMO, adding more software to a system rarely results in overall management gains. This is because most software, including security software, sucks. If you find yourself patching too often, or you can't trust that the patches won't break your environment, then you probably need to find a software vendor that invests more in QA. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists