Re: Gold Builds

[Tom Parker <tom () rooted net>]

At 20:31 29/11/2003, Dave Aitel wrote:

> I guess, I'm still of the belief that what security consulting companies do is QA, but I think if you HAVE the pull to 
> make your vendors do their own QA, rather than doing it for them, it's nice to push that cost (and the "risk", as an 
> economist would say) back onto them.

lo Dave et al :>

I concur that many consulting companies are, in general performing remedial QA type tasks, which really could of (well 
should of) been done in the initial development process; probably stating the obvious here. But isn't Information 
assurance, by nature a form of Quality Assurance.. your just hiring people who are (purportedly :) expert in looking at 
things from a specific angle. I guess Im just agreeing with your point, heh. 

Anyway - Over the last 12 months I've been exposed to several such "gold builds", most of which we're for desktop 
systems. Similarly to the scenario you described, the builds featured various bits of software, 3rd party to the OS, 
which are used pretty much on a daily basis, many of said applications incorporating network based services. Now, due 
to the sheer number of applications that are *required* to be installed on many "gold builds", the build gold build 
baseline projects often overrun way past their deadlines due to problems getting things even running. With a chorus of 
screaming upper management wondering why the project has missed deadlines and why is it now costing the firm twice the 
money in software engineers alone, where do you think that leaves any consideration for the security of the thing :> 

As for the operating system, Microsoft do indeed liaise fairly closely with larger clients who are intending on rolling 
out their products into a gold build, ensuring their needs are catered for; however I think its unrealistic to expect 
the same across the board - especially as there is often little or no choice whether you include the software in the 
build or not, since your cooperation already relies upon it to operate and therefore, it must be included. And unless 
you've been lucky enough to have a serious incident, costing the firm millions, your then arguing theoretical threat 
against inhibition of operational capability which, as im sure you appreciate is a fairly futile argument to have with 
most non-security savvy decision makers.

Hope I haven't missed your point too much. Just my random 1am spam.

-Tom 


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave