Re: [Full-disclosure] Getting Off the Patch



Hmm. So you propose other measures of security as a way of circumventing the requirement of patching vulnerable software. That's nice, but it occurs to me that the vulnerable software is still vulnerable, and sandboxing (as you mentioned in an example) isn't always possible or feasible -- maybe it requires a code change, who knows. I see you mention the time it takes to test patches and their effect on your workflow, but I would figure an equal or greater amount of time would then need to be spent on other solutions as well -- and even when those other solutions are implemented, the software that you're doing all this to is still vulnerable, and likely in a way that such measures can't really prevent all that well (code theft, etc).

Am I mistaken? I thought I got all that right. I haven't read the OSSTMM 3 yet, granted (it's on my to-do list), but I would think that it's still worth doing all that -- just that disregarding patches entirely in favor of this isn't the solution either, which is probably not what you're saying. :)

On Jan 10, 2011, at 11:41 AM, Pete Herzog <lists@xxxxxxxxxx> wrote:

Hi,

Here's a new article on how and why you may want to stop patching your
software and take a new approach to your security.

"So if patching is a tactic towards a particular security strategy,
how can that be bad? I never said it was all bad. There are reasons
where patching makes sense just like there are reasons to get a kick
from a cup of coffee, get kicked by a shot of tequila, or spray stuff
up your nose to breathe easier for 1.5 seconds. Yes, for the record, I
am comparing patching to nasal spray."

Read it here:

https://www.infosecisland.com/blogview/10813-Getting-Off-the-Patch.html

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete@xxxxxxxxxx
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Getting Off the Patch
    ... better than not patching. ... patch on one of our web servers which ran IIS 5.0 on Windows 2000. ... server because of this specific patch missing. ... security standpoint, it either has to be controlled or trusted. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Getting Off the Patch
    ... I never admitted patching doesn't work. ... depending on the op controls I choose and how I place them, ... there will always be a risk but what security solution can be ... Depending on the flaw in the sandbox, I expect the other op controls ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Getting Off the Patch
    ... I never admitted patching doesn't work. ... It is just one piece of the security puzzle. ... mostly human errors) but patches. ... We all know it is rather hard to get protection from unknown threads, ...
    (Full-Disclosure)
  • RE: Patching
    ... Patching a well-running organization/system should always make you ... a hole is a hole is a hole. ... While I hate explaining why a security patch has done ... Better Management for Network Security ...
    (Security-Basics)
  • RE: Patching
    ... :others are unknown. ... Must a vulnerability / hole be known to ... :Security risks do not all come from "out there" and "bad guys" ... :the level of security of one element by patching, ...
    (Security-Basics)