lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110114172059.GE2121@sentinelchicken.org>
Date: Fri, 14 Jan 2011 09:20:59 -0800
From: Tim <tim-security@...tinelchicken.org>
To: Pete Herzog <lists@...com.org>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Getting Off the Patch


> However, I'll go one more- if you find your patches breaking
> too often or too many things, then stop patching and find an
> alternative.

If security patches break your installation, then I assert that the
solution is the same: find a new vendor.  In the early days Microsoft
found this out the hard way... they used to package feature changes
with security patches.  This commonly broke peoples' installations, so
they finally got a clue and started fixing just what was broken.  Now
the majority of their patches can be applied with a pretty low error
rate.

Contrast this to the problems that "security" software causes even
outside of adding vulnerabilities to the system (*cough* McAfee+XPSP3
*cough*).   How much do you suppose that disaster cost the entire US
economy in terms of labor lost?

Now many folks might be thinking "oh sure, easy for you to say that I
just find a new vendor, but that's not up to me".  Of course, it is
easy to say it and hard to implement.  But if you follow the bouncing
ball on this argument, you'll realize that the next step is to find a
way to show the decision makers within your organization how much you
are spending on doing the QA that your software vendors should have
done from the beginning.  CISOs should be working with decision makers
to help them understand the likely cost of security maintenance
associated with software purchases.

And ultimately IT organizations should be holding software vendors
liable for their low quality of product.   Yes, the EULAs all say you
can't do this, but in reality there's always a leverage point one way
or another.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ