Re: "Perspective: Wresting free from a software straitjacket"

[Paul Vixie <paul () vix com>]

> > ...  It is estimated that fixing software security problems in production
> > environments can be more than 100 times more costly than doing so in the
> > development cycle."
> > ...
> > http://news.com.com/2010-1002_3-6139456.html?part=rss&tag=2547-1_3-0-5
>
> Is the "100 times" part really correct?  Can you confirm the factor for
> BIND? 8-)

for F/OSS, the factor is probably more like a million.

> It seems to me that you need a holistic viewpoint to reach that factor.

yes.

> Distributed patching is fairly cheap for vendors.  And it seems that it
> doesn't matter from an end user perspective if you need to patch 10 or 100
> or 1000 bugs per year, as long as the vendor packs as many bug fixes as
> possible into a single update which is released in a somewhat predictable
> manner.  The step from 0 to 1 can be quite noticeable, though, especially if
> you didn't plan for patching at all.

some IT shops track all of their interdependencies, and so they don't apply
every patch that comes along, and they eschew the jumbo patches altogether.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.