Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Twitter: (verb) to fail under exponential growth

From: Trygve Aasheim <trygve () pogostick net>
Date: Wed, 02 Jul 2008 07:43:29 +0200


Dave Aitel wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Marc Maiffret says
"""

Because we have tools that can already
pinpoint code problems but companies are too lazy to care to get them 

fixed.


"""

I don't think it's because they're too lazy at all. I think it's 

because the understanding I need to have of the whole system to fix that 
one bug grows exponentially with the size of the system. Every year we 
write bigger and bigger systems which means the bugs get exponentially 
larger and at some point the cost of fixing any one bug is larger than 
we care to take on.


Specific to application security, yes, things will break if you 

automatically patch them, but this is true of humans patching things as 
well. Patching a vulnerability depends on knowing what it is. For some 
values of "know" this process is trivial, and for some it's not. I think 
it's a very automatable problem, either in the binary or in the source. 
The only way to really argue the "can do" side is to do it, of course.  :>

You see a lot of companies where the administrators aren't allowed to 
patch either. It's not that they're lazy or the job is to big, or that 
they don't see how to actually perform the task on 14.000 servers.

It's because their managers wants them to focus on uptime, and jumping 
new servers to serve projects and new deployments. Patching can't be 
measured in anything that a manager really cares about, while the 
ability to deliver to projects and support time2market is easy to measure.

So patching only comes in during error handling, and then its usually 
only a functionality patch for a NIC or an application component. Not an 
evaluation and patch run on the system as a whole.

And yeah, uptime == patching in the way we see things. But as long as 
security breaches don't take down a system, breaks an SLA or surfaces in 
a way that gets a lot of people attention - a manager is not measured on it.

 From where I see it, its job protection for us.  ;)

Cheers,
T
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: