You might also want to mention to your auditor that a LOT of "commercial" applications actually make use of open source components, so the net of it is that you end up with (as has been pointed out earlier); - a DELAY in getting security updates: the vendors will wait for the guys on source-forge (or wherever) to fix the core package, then THEY have to roll the change into a patch/update for distribution. - The joy of having someone to blame/beat/threaten while waiting for the above to occur.
I spend a fair amount of time culling through these types of audits, and the best advice I can offer is to try and educate the stakeholders: - Exceptions often pop out based on product version (instead of actually "testing" anything). The auditing tools "should" properly qualify the exceptions with something like "xxx component is at version yyy and MAY be susceptible to zzz vulnerability". (point being, that the exception should be investigated, it isn't a certainty!) - Establish and document the procedures used to verify/resolve exceptions that show up from pen-tests, audits, etc. PITA, but part of the cost of the way we do business these days. Remember when that first big worm brought the internet to it's knees in the 80's and all us mainframers were sitting back thinking "serves you right! Who in their right mind would send their data over a public network??" DOH! On Mar 7, 2013, at 1:09 AM, Christian Langer wrote: > Apart from a classic linux desktop with openssh, there is no better > alternative than putty :) > > As an argument towards putty: > - security fixes will be delivered JIT > - broad user base > > > Am 06.03.2013 21:29, schrieb Melancon, Ruddy: >> I have a security officer that has raised the issue regarding free [Putty] >> software. >> >> Has anyone encounterd security issues with Putty beyond the Release 0.60? I >> am looking for documented problems. >> >> I am also interested in what I could use as a fee based product to replace >> Putty. >> >> Ruddy Melancon >> zVM and Linux Support >> >> ---------------------------------------------------------------------- >> For LINUX-390 subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO LINUX-390 or >> visit >> http://www.marist.edu/htbin/wlvindex?LINUX-390 >> ---------------------------------------------------------------------- >> For more information on Linux on System z, visit >> http://wiki.linuxvm.org/ >> > > -- > Zentrum für Informationsverarbeitung und Informationstechnik (ZIVIT) > - Betriebliches Architekturmanagement - > Dienstsitz Bonn, An der Küppe 2, 53225 Bonn > Telefon: +49-228/99-680-5199, Mobil: +49-172/2042527 > Internet: http://www.zivit.de > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > <0xDD66C4B1.asc> ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
