[Dailydave] Twitter: (verb) to fail under exponential growth
Trygve Aasheim
trygve at pogostick.net
Wed Jul 2 01:43:29 EDT 2008
Dave Aitel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Marc Maiffret says
> """
>
> Because we have tools that can already
> pinpoint code problems but companies are too lazy to care to get them
fixed.
>
> """
>
> I don't think it's because they're too lazy at all. I think it's
because the understanding I need to have of the whole system to fix that
one bug grows exponentially with the size of the system. Every year we
write bigger and bigger systems which means the bugs get exponentially
larger and at some point the cost of fixing any one bug is larger than
we care to take on.
>
> Specific to application security, yes, things will break if you
automatically patch them, but this is true of humans patching things as
well. Patching a vulnerability depends on knowing what it is. For some
values of "know" this process is trivial, and for some it's not. I think
it's a very automatable problem, either in the binary or in the source.
The only way to really argue the "can do" side is to do it, of course. :>
You see a lot of companies where the administrators aren't allowed to
patch either. It's not that they're lazy or the job is to big, or that
they don't see how to actually perform the task on 14.000 servers.
It's because their managers wants them to focus on uptime, and jumping
new servers to serve projects and new deployments. Patching can't be
measured in anything that a manager really cares about, while the
ability to deliver to projects and support time2market is easy to measure.
So patching only comes in during error handling, and then its usually
only a functionality patch for a NIC or an application component. Not an
evaluation and patch run on the system as a whole.
And yeah, uptime == patching in the way we see things. But as long as
security breaches don't take down a system, breaks an SLA or surfaces in
a way that gets a lot of people attention - a manager is not measured on it.
From where I see it, its job protection for us. ;)
Cheers,
T
More information about the Dailydave
mailing list