RE: Is VMS losing the Financial Sector, also?

Excellent point - and don't forget, our companies spend really big bucks
with SOX auditing firms to come in and audit every single one of those
issues. The auditors are not always well experienced in the technologies
being used, but they are usually smart enough to recognize a problem when
they see it.

And there are serious repercussions to failing a SOX audit - up to and
including being delisted from the stock exchange and/or jail time. You bet
we take things seriously when we have our OPS hats on. And, despite all the
infrastructure design in the world, we still have to apply security patches.


Given that, we do NOT apply patches randomly or without upfront testing.
Production systems are just too darn *important* to mess up. But we *do*
the testing necessary and *do* apply whatever patches are necessary. Note
that Novell has sent out at least 100 patch notices in the past 60 days for
SuSE Linux.

We don't get nearly as many updates for other OS's - and what we do get are
often engineering changes. That is, except for Windows and the attendant
Microsoft applications. Those, we get a LOT more of. "Patch Tuesday" is NOT
a happy time in my shop!

-Paul


-----Original Message-----
From: Main, Kerry [mailto:Kerry.Main@xxxxxx]
Sent: Thursday, July 05, 2007 6:34 AM
To: Info-VAX@xxxxxxxxxxxx
Subject: RE: Is VMS losing the Financial Sector, also?


-----Original Message-----
From: Arne Vajhøj [mailto:arne@xxxxxxxxxx]
Sent: July 4, 2007 6:31 PM
To: Info-VAX@xxxxxxxxxxxx
Subject: Re: Is VMS losing the Financial Sector, also?


[big snip ...]

Let us understand that out in the real world companies are moving
to Linux.

Absolutely. But lets not pretend that Linux is going to take over
the world and that serious IT shops will not soon realize the real
costs of adopting a platform that has 5-20 security patches
released
each and every month.

Linux will not take over the world next year.

The patch problem is not really a problem. So do not expect that
to have any effect.


You are looking at this from a developer who wants to believe this
perspective - not from a reality Operations view.

Most BU's do not care what the IT group uses as platforms, but they do
expect that there will be slim to zero security issues and for that
these BU's and senior managers have near zero tolerance.

If a major breach is exposed or incident happens because IT did not
apply a known patch to a specific documented security issue, who's head
do you think will be served up on a platter?

The Dev group? No.

The Operations group - you bet. Hence, the focus on security is always
more prevalent from an Operations perspective than a developers
perspective.

And for those that think they can hide behind a good firewall and
not
apply all these security patches, remember that 50-60% of all
security issues are internal related.

Yes.

And as I have already asked in another thread without getting
an answer: how many of those 50-60% uses security holes in software ?

Arne

As I mentioned in another thread, disgruntled employees using known
passwords is only one small part of the problem. [Course, the password
issues are worse on platforms that have all or user type environments,
but that is another discussion.]

Re: software security - Well, what do you think, trojans, worms,
viruses on all those personal devices attack with?

They reside on laptops, PDA's memory sticks, cell phones and what ever
other personal devices are out there. They are all looking for known
WS and server services exploits to attack. And most traverse external
and internal networks all the time which exponentially increases the
chances of picking up some nasty bug.

Regards


Kerry Main
Senior Consultant
HP Services Canada
Voice: 613-592-4660
Fax: 613-591-4477
kerryDOTmainAThpDOTcom
(remove the DOT's and AT)

OpenVMS - the secure, multi-site OS that just works.




.

Relevant Pages

  • Re: Someone got into my system
    ... After all, the more money they have, the more software ... Even better how much does Linux make? ... they have security issues also. ... If I had a dollar everytime a MS patch bombed out on me, ...
    (microsoft.public.security)
  • RE: Is VMS losing the Financial Sector, also?
    ... there were 46 security patches: ... we see *one* critical server-related security patch in 6 ... Click a button to filter by All, Security, Bug fixes, Enhancements. ... You don't seem to know very much about Linux package management. ...
    (comp.os.vms)
  • RE: IIS on 443 replaced by serv-u
    ... It sounds like your system was compromised before installing the patch. ... More information on creating slip-streamed installs of Windows can ... Download the Security Patch Management Guide: ... It's important to not that not all security patches are offered by the ...
    (microsoft.public.inetserver.iis.security)
  • OT: on patches, for Linux, for Windows, for VMS.
    ... How does that work with VMS, then, which has long-standing known security ... Question - how many Linux admins do you know are even aware of all the ... monthly Linux security patches - let alone have the expertise and time ... How many Windows admins do you know are even aware of all ...
    (comp.os.vms)
  • RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, he lp the cause
    ... supply of patches (Windows NT4/95/98) these systems should go offline ... Security is always a trade-off. ... This is how Linux and other ... Apache virtually owns the market with more than 60%. ...
    (Full-Disclosure)