Re: Patch testing
From: Avleen Vig (lists-bugtraq_at_silverwraith.com)
Date: 08/25/03
- Previous message: Chris Lynch: "RE: Patch testing"
- In reply to: Chris Lynch: "RE: Patch testing"
- Next in thread: Chris Lynch: "RE: Patch testing"
- Reply: Chris Lynch: "RE: Patch testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Aug 2003 11:30:31 -0700 To: Chris Lynch <lynch00@cox.net>
On Sun, Aug 24, 2003 at 11:17:43AM -0700, Chris Lynch wrote:
> This has been our advice to our clients. But, in the respect, we have
> changed out views, and are telling our clients that having a test lab setup
> is a good thing. Now the question here was "how important is it to have the
> test servers running the same types of hardware as the production
> environment?" I would have to say next to zero. We are going as far as
> recommending Vmware for test labs. All you need to do is to replicate the
> services you are providing (Email, directory, file and print, SQL, Oracle,
> etc). Hardware doesn't come into play. I haven't seen a hotfix that has
> been released lately by Microsoft that would resolve an issue with a
> hardware vendor.
>
> I would say that you would be pretty safe to get some workstations, or
> clones, install Vmware, and test away.
I must respectfully disagree.
With regards to large patch sets like Service Packs, and any (ANY) patch
which changes code that takes to hardware (read: drivers, network code,
writing-to-disk code, cpu-specific intruction code, etc), having
identical hardware is *critical* to the successful testing of a patch.
How else do you know if that patch can still succesfully talk to your
hardware?
Note: A security related patch doesn't have to fix a hardware-related
bug, in order to change code that communicates with hardware.
I heard recentlly that IIS6 will ship with code that runs in Ring 0
(sometimes loosely refered to as 'kernel mode'). The assumption is that
this code will talk directly to hardware in order to improve
performance. Imagine if you will, an IIS6 bug, that patches code that
talks to hardware.
The problem doesn't hard to be with the hardware vendor. More often than
not, the problem is the Microsoft's product communicating with the
hardware. That is why identical hardware is a requirement.
If you roll out a new service, if you possibly can you should really
allow a few extra dollars for test equipment. I understand this isn't
always possible, but if it is, then you should.
---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------
- Previous message: Chris Lynch: "RE: Patch testing"
- In reply to: Chris Lynch: "RE: Patch testing"
- Next in thread: Chris Lynch: "RE: Patch testing"
- Reply: Chris Lynch: "RE: Patch testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
