Marcus Ranum rants on patching and COTS software
Posted by creining | Filed under Security
On Marcus Ranum’s website (Marcus being Senior Scientist at TruSecure Corporation) he has posted a piece he wrote entitled What Sun Tzu Would Say which is a “silly, whimsical, angry piece” about patching systems. He states to fundamentally get away from the patch treadmill, you need to do two things: run software that does not suck and limit internet facing services. I think that both of these are common sense in the security community but I foresee an issue with running software that does not suck. If competent security professionals had the option of picking all the software that a company ran, it would be feasible. However, at large corporations there are often many, many applications implemented and various commercial software vendors that have their tentacles all too engrained in the corporation. Now, I think the best bet would be in all future software implementations to have the security team have a say in what gets implemented (like Apache (or even thttpd) over IIS, for example). Ranum also mentions a couple examples of why buying “off the shelf software” does not in any way provide benefits over writing custom software in-house. One of the examples he provides:
“A client of mine works for a fairly large bank, which bought an E-banking app from a 3rd party. The E-banking app required months and months of HTML development, consulting, and customization before they could put it into test. When they were well into their testing, they hired me to come look at it and I was horrified to discover that the app (which cost $400,000) ran on an old version of NT, and required use of an old version of Microsoft IIS. When I got onto some con-calls with the provider they explained that my client could protect the NT server “with a firewall” and that they were focused on providing connectivity, not security: that was left as an exercise for their customer. It went live, of course, but only after tons more money was spent on remediation for what was fundamentally a poor choice of tools. What was the ROI on this project? I don’t want to think about it. Somehow, Prince Ciao has convinced himself that “Off The Shelf Software” is good while “Custom” software is bad. What Prince Ciao doesn’t understand is that that thing consultants do is called “customization” and by the time you’ve configured it with a lot of firewalls, patches, and 10,000 other fixes and hot-swaps it’s not exacly “off the shelf” software anymore.”
Comments are closed.