On Wed, Feb 24, 2010 at 10:46:56AM -0500, Paco Hope wrote: > I don't think "webness" conveys any more homogeneity than, say "windowsness" > or "linuxness." > > What part of being a web application provides homogeneity in a way that makes > patching cheaper?
In a word, control. Let's compare two different organizations: a commercial software development company, and a web commerce company. They both develop software, but how the software is deployed and managed is widely different. Commercial software is created by one party, and consumed by multiple other parties. Those parties may run it in widely different operating environments, with different network, software and harware configurations. They may be running old versions of the software, or using it in novel ways. If the commercial software development company has to patch a vulnerability, they need to first determine which releases of the software need to be patched, develop and test a patch for each supported version, test it across the plethora different configurations their customers may be running, develop release notes and a security advisory, make the patch available, and support their customers while they are patching. For a web commerce company, however, the picture is entirely different. While their production fleet may comprise hundreds, or even thousands, of servers, they're likely all running the exact same software and configuration, using a configuration management system to deploy the website software and keep it in sync. If the web commerce company identifies a vulnerability in their website, they can debug the running stack, create a fix, test it against an exact replica of the production stack, and use automated tools to deploy the patch to their entire fleet in one operation. -Jon
signature.asc
Description: Digital signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________