RE: Patch testing

• Previous message: Chris Lynch: "RE: Patch testing"
• Maybe in reply to: Brei, Matt: "Patch testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Avleen Vig'" <lists-bugtraq@silverwraith.com>
Date: Mon, 25 Aug 2003 11:43:58 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a good point that I didn't realize. Again, I wasn't saying that you
should "solely" use Vmware to test all service packs. I was merely
suggesting that in most cases, Vmware can provide a better environment for
those that cannot afford the additional hardware. Nothing can really
substitute the benefits of having duplicate hardware for a testing
environment, but in most cases this is not practical. From purely a
budgetary purpose, it is most cost effective to have three good servers and
install Vmware to run 3 or more guest OSes that could reproduce your
environment.

Does this help you with testing hardware drivers, firmware, or even hotfixes
from the OS vender to resolve hardware specific issues? No. Could
reproducing your environment that has SQL 2000/7.0 that has your companies
ERP package, or primary financial application so you could test SP3 or SP4
(for which ever version of SQL you are running) to make sure the application
isn't going to break? Yes. Could you also reproduce your AD environment or
Exchange environment to test out SP4, or SP3 (for Windows 2000 and Exchange
2000 respectively)? With Exchange, yes. But with the OS, unless there is
something specific with the hardware level, no. This is were research into
the service pack or even the hotfix is necessary.

This isn't a fix-all solution, but it can assist with most IT departments to
test out patches, and get patches installed sooner, rather than later. The
BLASTER virus just proves that necessity. (as well as others)

Chris

- -----Original Message-----
From: Avleen Vig [mailto:avleen@silverwraith.com] On Behalf Of Avleen Vig
Sent: Monday, August 25, 2003 11:31 AM
To: Chris Lynch
Cc: 'Kurt Seifried'; 'Todd Schubert'; focus-ms@securityfocus.com
Subject: Re: Patch testing

On Sun, Aug 24, 2003 at 11:17:43AM -0700, Chris Lynch wrote:
> This has been our advice to our clients. But, in the respect, we have
> changed out views, and are telling our clients that having a test lab
> setup is a good thing. Now the question here was "how important is it
> to have the test servers running the same types of hardware as the
> production environment?" I would have to say next to zero. We are
> going as far as recommending Vmware for test labs. All you need to do
> is to replicate the services you are providing (Email, directory, file
> and print, SQL, Oracle, etc). Hardware doesn't come into play. I
> haven't seen a hotfix that has been released lately by Microsoft that
> would resolve an issue with a hardware vendor.
>
> I would say that you would be pretty safe to get some workstations, or
> clones, install Vmware, and test away.

I must respectfully disagree.
With regards to large patch sets like Service Packs, and any (ANY) patch
which changes code that takes to hardware (read: drivers, network code,
writing-to-disk code, cpu-specific intruction code, etc), having identical
hardware is *critical* to the successful testing of a patch.
How else do you know if that patch can still succesfully talk to your
hardware?

Note: A security related patch doesn't have to fix a hardware-related bug,
in order to change code that communicates with hardware.

I heard recentlly that IIS6 will ship with code that runs in Ring 0
(sometimes loosely refered to as 'kernel mode'). The assumption is that this
code will talk directly to hardware in order to improve performance. Imagine
if you will, an IIS6 bug, that patches code that talks to hardware.

The problem doesn't hard to be with the hardware vendor. More often than
not, the problem is the Microsoft's product communicating with the hardware.
That is why identical hardware is a requirement.

If you roll out a new service, if you possibly can you should really allow a
few extra dollars for test equipment. I understand this isn't always
possible, but if it is, then you should.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: Public PGP key for Chris Lynch

iQA/AwUBP0pY7m9fg+xq5T3MEQINhwCfbwT9I4ZWcczeVk4yWeytN0UFWn8AoNh6
d38C/JBcGecGCD6HUNL3IFxY
=FCa+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------

• Previous message: Chris Lynch: "RE: Patch testing"
• Maybe in reply to: Brei, Matt: "Patch testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]