* Paul Vixie: > ... > > "This backward methodology to security is inefficient and exceedingly > expensive. To keep valuable assets protected, IT staffers must constantly > track software vulnerability databases in order to stay one step ahead of the > bad guys. Each vendor patch release leads to an IT fire drill of testing and > remediating all vulnerable systems. It is estimated that fixing software > security problems in production environments can be more than 100 times more > costly than doing so in the development cycle." > > ... > > http://news.com.com/2010-1002_3-6139456.html?part=rss&tag=2547-1_3-0-5
Is the "100 times" part really correct? Can you confirm the factor for BIND? 8-) It seems to me that you need a holistic viewpoint to reach that factor. Distributed patching is fairly cheap for vendors. And it seems that it doesn't matter from an end user perspective if you need to patch 10 or 100 or 1000 bugs per year, as long as the vendor packs as many bug fixes as possible into a single update which is released in a somewhat predictable manner. The step from 0 to 1 can be quite noticeable, though, especially if you didn't plan for patching at all. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
