Re: [SC-L] web apps are homogenous?

[Jon McClintock]

On Wed, Feb 24, 2010 at 10:46:56AM -0500, Paco Hope wrote:
 I don't think webness conveys any more homogeneity than, say windowsness 
 or linuxness.
 
 What part of being a web application provides homogeneity in a way that makes 
 patching cheaper?

In a word, control. Let's compare two different organizations: a
commercial software development company, and a web commerce company.
They both develop software, but how the software is deployed and managed
is widely different.

Commercial software is created by one party, and consumed by multiple
other parties. Those parties may run it in widely different operating
environments, with different network, software and harware
configurations. They may be running old versions of the software, or
using it in novel ways.

If the commercial software development company has to patch a
vulnerability, they need to first determine which releases of the
software need to be patched, develop and test a patch for each supported
version, test it across the plethora different configurations their
customers may be running, develop release notes and a security advisory,
make the patch available, and support their customers while they are
patching.

For a web commerce company, however, the picture is entirely different. 
While their production fleet may comprise hundreds, or even thousands,
of servers, they're likely all running the exact same software and 
configuration, using a configuration management system to deploy the
website software and keep it in sync.

If the web commerce company identifies a vulnerability in their website,
they can debug the running stack, create a fix, test it against an
exact replica of the production stack, and use automated tools to 
deploy the patch to their entire fleet in one operation.

-Jon


signature.asc
Description: Digital signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] seeking hard numbers of bug fixes...

[Jon McClintock]

On Mon, Feb 22, 2010 at 10:45:02AM -0500, Jeremy Epstein wrote:
 Take a look at Mary Ann Davidson's keynote at ACSAC in Dec 2009.
 http://www.acsac.org/2009/program/keynotes/davidson.pdf

This provides a pretty good examination of the costs of patching 
commercial software. Has anyone done a similar analysis for web 
applications? I'd expect the costs to be dramatically lower, given
thant you're typically producing a single patch for a handful of
homogenous systems.

-Jon


signature.asc
Description: Digital signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___