User Tools

Site Tools


parsec_patches

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
parsec_patches [2018/11/28 15:29]
sgriggs
parsec_patches [2019/07/11 04:58] (current)
sgriggs [Stability versus Security Patches]
Line 16: Line 16:
 patched. ​ patched. ​
  
-== What Exactly is a Patch? ==+===== What Exactly is a Patch? ​=====
  
 It might seem silly, but not everyone agrees on what constitutes a patch. It might seem silly, but not everyone agrees on what constitutes a patch.
Line 24: Line 24:
 kernel, or a bit of hardware. ​ kernel, or a bit of hardware. ​
  
-=== Stability versus Security Patches ===+===== Stability versus Security Patches ​=====
  
 Some, but not all vendors will bifurcate their patches into two categories: Some, but not all vendors will bifurcate their patches into two categories:
Line 43: Line 43:
 running into. running into.
  
 +===== Are These Original OEM Patches? =====
  
-=== What is a Firmware Update? ===+Never. No way. We are not legally able to do this and we can only touch vendor patches when the customer has clear entitlements with the vendor. At that point, we are just consultants who do your OEM patching for you, but you've paid for the original entitlement. We absolutely will never download a patch from a vendor and "​cheat"​ by putting it on a customer system. It's immoral and illegal.  
 + 
 +We **only** deliver patches which we've developed in-house with our own independent methods. 
 + 
 +===== How Does One Pay for Patch Entitlements?​ ===== 
 + 
 +Customers pay hourly consulting fees to pay for the hotfix or patch they want/need. The rate is determined by talking to your salesperson.  
 + 
 +We can also make recommendations for any patches based on outstanding CVE reports and quote you on those patches only so you can present that as a regulatory audit artifact showing that your system is still secure and up to date on patches specifically for security issues.  
 +===== What is a Firmware Update? ​=====
  
 Some hardware devices need their own internal code to function. Think of it Some hardware devices need their own internal code to function. Think of it
Line 69: Line 79:
 Firmware is definitely not something that PARSEC can be in the business of Firmware is definitely not something that PARSEC can be in the business of
 patching. ​ Where possible and completely legal, we can package any firmware patching. ​ Where possible and completely legal, we can package any firmware
-updates that come from the OEM.  They can be embedded in the same package +updates that come from the hardware ​OEM which are documented to be legally allowed for distribution.  They can be embedded in the same package format we use (EPM - Enterprise Package Manager). ​ This is the same thing 
-format we use (EPM - Enterprise Package Manager). ​ This is the same thing +the big vendors do.  They just *stop* doing it after the OS becomes end-of-support or end-of-life (EOS & EOL).
-the big vendors do.  They just *stop* doing it after the OS becomes +
-end-of-support or end-of-life (EOS & EOL).+
  
-=== What is a Kernel Patch? ===+Also keep in mind that vendors tend to stop upgrading firmware after 1-3 years from the release date. This is because they generally feel pretty confident and stable about the code as their bug reports slow down and die off. By the time you'd want to sign a contract with PARSEC, you'd probably be well out of this period. So, to be fair and compare apples to apples, the OEM vendor isn't going to give you firmware updates beyond a certain point either, even despite having the legal means to do so.  
 + 
 +===== What is a Kernel Patch? ​=====
  
 The kernel is the core of most operating systems. It describes only the most The kernel is the core of most operating systems. It describes only the most
Line 90: Line 100:
  
  
-== PARSEC Patch Program ==+==== PARSEC Patch Program ​====
  
 PARSEC has a product offering to address the issue of patching for version PARSEC has a product offering to address the issue of patching for version
Line 104: Line 114:
 based on known vulnerabilities. ​ based on known vulnerabilities. ​
  
-=== Selection of Patch Candidates ===+===== Selection of Patch Candidates ​=====
  
 We select patches based on the OS specific entries in the CVE database. ​ We select patches based on the OS specific entries in the CVE database. ​
Line 126: Line 136:
 in subsystems we have code-access to, for example Sendmail or Inetd. in subsystems we have code-access to, for example Sendmail or Inetd.
                                                                                                                                                                                                                                                                                                                        
-=== What We Do NOT Patch and Why ===+===== What We Do NOT Patch and Why =====
  
 PARSEC doesn'​t have the complete source code to most of the operating PARSEC doesn'​t have the complete source code to most of the operating
Line 155: Line 165:
 deprecate the server if needed. deprecate the server if needed.
  
-=== What We Do Patch with Examples ===                                                                                                                                                            +===== What We Do Patch with Examples =====                                                                                                                                                         
  
 Most of the time, OS vendors do not write basic system software if they Most of the time, OS vendors do not write basic system software if they
Line 195: Line 205:
 using your AIX 5.3 system indefinitely and still be 100% above board for using your AIX 5.3 system indefinitely and still be 100% above board for
 your regulatory compliance and patching. your regulatory compliance and patching.
- 
-=== Patch Schedules === 
- 
-Patches are released only for paying customers within two weeks after the 
-start of each new quarter. This allows for all issues found within the 
-quarter to be part of a patch rollup. The rollups are batches of patches 
-that catches you up to a secured place. ​ 
  
 In the event of a remote root exploit or a remotely exploitable issue in In the event of a remote root exploit or a remotely exploitable issue in
Line 208: Line 211:
 rolled into that quarter'​s patch bundle. rolled into that quarter'​s patch bundle.
  
-=== Why We Use Enterprise Package Manager for Patches ===+===== Why We Use Enterprise Package Manager for Patches ​=====
  
 The EPM tool is an open source package management system written by Michael The EPM tool is an open source package management system written by Michael
Line 241: Line 244:
 /​etc/​software which contains a removal script for every installed package. /​etc/​software which contains a removal script for every installed package.
  
-== Patching and Regulatory Compliance ==+If a customer specifically requests a patch be in native format, we can easily create that, also.  
 + 
 +=== Patching and Regulatory Compliance ​===
  
 Let's face it, many times patching is driven by the need to comply with some Let's face it, many times patching is driven by the need to comply with some
Line 250: Line 255:
 to parse than programmers. to parse than programmers.
  
-=== How Do I Know What I'm Required to Patch? ===+However, in most cases one simply needs to have a plan for patching and technology updates. If your plan is to [[version lock|version_locking_legacy_environments]],​ then  
 + 
 +===== How Do I Know What I'm Required to Patch? ​=====
  
 In almost all cases, the regulatory standards try to be broad and use a lot In almost all cases, the regulatory standards try to be broad and use a lot
Line 271: Line 278:
 the common standards and what they actually require in further sections. ​ the common standards and what they actually require in further sections. ​
  
-=== When am I Required to Patch? ===+===== When am I Required to Patch? ​=====
  
 Patching frequency is almost always dependent on what your local security Patching frequency is almost always dependent on what your local security
Line 283: Line 290:
 enough. enough.
  
-=== GLBA Specifics ===+==== GLBA Specifics ​====
  
 U.S.  Congress gave us the Gramm-Leach-Bliley Act (GLBA), also called the U.S.  Congress gave us the Gramm-Leach-Bliley Act (GLBA), also called the
Line 314: Line 321:
 encryption'​s operational security must be fixed and updated. encryption'​s operational security must be fixed and updated.
  
-=== HIPPA Specifics ===+==== HIPPA Specifics ​====
  
 The requirements in HIPPA are designed to protect individuals from The requirements in HIPPA are designed to protect individuals from
Line 352: Line 359:
 As you can see, HIPPA is vague but only in ways that advantage the auditors. As you can see, HIPPA is vague but only in ways that advantage the auditors.
  
-=== SOX Specifics ===+===== SOX Specifics ​=====
  
 Sarbanes-Oxley is a law which is part of the US Title 15 code governing Sarbanes-Oxley is a law which is part of the US Title 15 code governing
Line 380: Line 387:
 anything really specific from your IT security. anything really specific from your IT security.
  
-=== PCI Specifics ===+===== PCI Specifics ​=====
  
 The Payment Card Industry (PCI) standards aren't law, they are well accepted The Payment Card Industry (PCI) standards aren't law, they are well accepted
Line 406: Line 413:
 protocols the code-path in those tools must be kept secure. protocols the code-path in those tools must be kept secure.
  
-== Examples and Demonstrations ==+=== Examples and Demonstrations ​===
  
 Just for fun, let's watch a few PARSEC patches in action and have a quick Just for fun, let's watch a few PARSEC patches in action and have a quick
Line 413: Line 420:
 see something more concrete. see something more concrete.
  
-=== Upgrading Secure Shell ===+==== Upgrading Secure Shell ====
  
 Here is an example on a Tru64 system. We have an ancient and highly Here is an example on a Tru64 system. We have an ancient and highly
Line 484: Line 491:
 agreement and just do the installation quietly. agreement and just do the installation quietly.
  
-=== Upgrading Sendmail ===+==== Upgrading Sendmail ​====
  
 Sendmail is another bit of software which comes from the open source world, Sendmail is another bit of software which comes from the open source world,
Line 584: Line 591:
 has to face the Internet. has to face the Internet.
  
-=== Other Scenarios ===+==== Other Scenarios ​====
  
 Keep in mind that there is a heckuva lot more software that can be patched Keep in mind that there is a heckuva lot more software that can be patched
Line 603: Line 610:
 cycles and less hassle. cycles and less hassle.
  
-The pricing for our PARSEC Patch program is typically a 10% uplift to your 
-support cost.  This helps us justify putting in the time to track the 
-vulnerabilities and develop the patches, workarounds,​ and upgrades that will 
-make your money well spent. 
  
  
parsec_patches.1543418984.txt.gz · Last modified: 2018/11/28 15:29 by sgriggs