We have a mix of things, none of which is a panacea. 1) We use a commercial service called VIM from Secunia. It is basically an aggregator of vulnerabilities; you define the inventory of software/vendors you care about and what the threshold of interest you have. If there is a vulnerability then you will be notified. The system also has a ticketing workflow built in, but we tend to use our own.
2) For the Debian systems, there is the debsecan utility which reports on the state of a running system vs "ideal" state. The challenge with this becomes the aggregation of state across multiple hosts, then making the decision about what you care about vs not, so some glue is required. The tools Jan wrote look pretty interesting, so I'll be taking a closer look at them. On Mon, Mar 17, 2014 at 11:23 AM, Phil Pennock < [email protected]> wrote: > What are people currently using for tracking status of security updates > of software which you depend upon in production? This is separate from > "apply vendor security updates" as it pertains to the items which you > build from source or with custom packaging, because it's a core part of > the line of business, or for whatever other reason. > > Just tickets in your regular ticketing system, perhaps in a special > queue? Something else? What sort of automation? > > Eg, a vendor security notice (Ubuntu USN or whatever) comes in; does it > tie into existing tickets with CVEs already tracked and handled, or is > it a new issue? Is it partly for something already dealt with, but > there's an extra CVE which was fixed and which needs a new rollout? > How do you track when you'll need customer/client notification, vs just > being able to hotfix? How do you track release qualification status? > > If you're using an existing ticketing system with some customisation, > are there any templates which you can share? > > Thanks, > -Phil > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
