Dailydave mailing list archives
Re: Twitter: (verb) to fail under exponential growth
From: Trygve Aasheim <trygve () pogostick net>
Date: Wed, 02 Jul 2008 07:43:29 +0200
Dave Aitel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Marc Maiffret says """ Because we have tools that can already pinpoint code problems but companies are too lazy to care to get them
fixed.
""" I don't think it's because they're too lazy at all. I think it's
because the understanding I need to have of the whole system to fix that one bug grows exponentially with the size of the system. Every year we write bigger and bigger systems which means the bugs get exponentially larger and at some point the cost of fixing any one bug is larger than we care to take on.
Specific to application security, yes, things will break if you
automatically patch them, but this is true of humans patching things as well. Patching a vulnerability depends on knowing what it is. For some values of "know" this process is trivial, and for some it's not. I think it's a very automatable problem, either in the binary or in the source. The only way to really argue the "can do" side is to do it, of course. :> You see a lot of companies where the administrators aren't allowed to patch either. It's not that they're lazy or the job is to big, or that they don't see how to actually perform the task on 14.000 servers. It's because their managers wants them to focus on uptime, and jumping new servers to serve projects and new deployments. Patching can't be measured in anything that a manager really cares about, while the ability to deliver to projects and support time2market is easy to measure. So patching only comes in during error handling, and then its usually only a functionality patch for a NIC or an application component. Not an evaluation and patch run on the system as a whole. And yeah, uptime == patching in the way we see things. But as long as security breaches don't take down a system, breaks an SLA or surfaces in a way that gets a lot of people attention - a manager is not measured on it. From where I see it, its job protection for us. ;) Cheers, T _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Twitter: (verb) to fail under exponential growth Dave Aitel (Jul 01)
- Re: Twitter: (verb) to fail under exponential growth Trygve Aasheim (Jul 02)
- Re: Twitter: (verb) to fail under exponential growth Paul Melson (Jul 02)