RE: SUS server

From: Marty Armstrong (MartyA@patchlink.com)
Date: 04/09/03

  • Next message: Kevin Cao: "RE: Federated Security Applications and Implications."
    Date: Wed, 9 Apr 2003 08:44:33 -0700
    From: "Marty Armstrong" <MartyA@patchlink.com>
    To: "Brian W. Spolarich" <bspolarich@nephrostherapeutics.com>, "Evan Mann" <emann@pinnaclefinancial.com>, <focus-ms@securityfocus.com>
    

    SUS is a free tool and certainly has short comings after all Shavlik (the developers of the SUS detection engine) have a tool you can purchase. As you may or may not be aware there are other third party solutions that address the patch management space. The articles below compare many of the patch management software applications.

    http://www.nwfusion.com/reviews/2003/0303patchrev.html

    http://www.networkcomputing.com/1318/1318f3.html

    -Marty

    > -----Original Message-----
    > From: Brian W. Spolarich [mailto:bspolarich@nephrostherapeutics.com]
    > Sent: Tuesday, April 08, 2003 8:14 AM
    > To: Evan Mann; focus-ms@securityfocus.com
    > Subject: RE: SUS server
    >
    >
    > Evan Mann wrote:
    > > I've read the 21 CFR Part 11 spec and no where in the documents I've
    > > read does it make indications as to what controls you need on your
    > > systems in terms of updates to your OS and OS related files. 21CFR
    > > Part 11 is all about document control and/or electronic
    > signatures on
    > > resources related to your medical business, not what can or
    > cannot be
    > > done to the operating system itself.
    >
    > Typically the issue arises in controlled and regulated
    > environment where systems and applications that fall under
    > regulatory scope (21 CFR Part 11 and GxP in particular) need
    > to be validated for their intended use. This typically
    > requires a qualification process for the systems that the
    > applications are deployed on (Installation Qualification,
    > Operational Qualification, and Performance Qualification
    > [IQ/OQ/PQ]), both server and client depending on the
    > architecture, and a detailed and documented validation of the
    > applications themselves.
    >
    > If you apply OS patches in an uncontrolled manner, you wind
    > up with validation exposures. e.g. "How do you KNOW the
    > application continues to behave as expected after you applied
    > the patch? Did you test it?" So in these environments
    > patches tend to be applied less often an usually en masse. I
    > suspect many folks use the Service Pack releases as the
    > opportunity to do that, and only deploy critical interim
    > patches when absolutely necessary.
    >
    > In those environments, the very incremental approach that
    > SUS takes is probably not a Good Thing.
    >
    > -bws
    >
    > ----------------------------------------------------------------------
    > Block Spam, Smut & Viruses
    > SurfControl E-mail Filter for SMTP & Exchange leverages
    > multiple layers of
    > technology including filtering embedded and attached file
    > content. Rid your
    > enterprise of unwanted content.
    > http://www.securityfocus.com/SurfControl-focus-ms2
    > Download your free fully functional trial, complete with
    > 30-days of free
    > technical support.
    > ----------------------------------------------------------------------
    >
    >

    ----------------------------------------------------------------------
    Block Spam, Smut & Viruses
    SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
    technology including filtering embedded and attached file content. Rid your
    enterprise of unwanted content.
    http://www.securityfocus.com/SurfControl-focus-ms2
    Download your free fully functional trial, complete with 30-days of free
    technical support.
    ----------------------------------------------------------------------


  • Next message: Kevin Cao: "RE: Federated Security Applications and Implications."