[dbsec] Re: Patching times
- From: Jonathan Leffler <jleffler@xxxxxxxxxxxxx>
- To: dbsec@xxxxxxxxxxxxx
- Date: Thu, 19 Apr 2007 21:59:15 -0700
David Litchfield wrote:
Feel free to disregard: I was wondering how long the lag is between a
vendor releasing a patch and it being installed on your production
databases? I'm trying to get more of a feel for how long people test
patches before rolling them out.
It depends on the system and the company. Here, we're talking about
DBMS patching, specifically.
Anecdotal evidence would suggest a long time for some banks. I was told
that the development cycle for one DBMS consists, roughly, of 1 year to
design, 1 year to implement, 1 year of internal test, 1 year of testing
by general customers (and then production deployment by general
customers), followed by 1 more year of internal testing at subsidiary in
<specific country>, and 1 year of testing at <big bank in specific
country> before the DBMS goes into production at <big bank in specific
country>. If you've lost track, that's 6 years or so from conception to
implementation at the customer (a mere 4 years for the less paranoid).
I don't know whether 'patches' apply in that scenario - probably not.
For companies that have a few thousand systems around the country (or
world), it may physically take 1-6 months to deploy any new release,
because of bandwidth and resiliency issues. It could easily take a
month to validate that the patch will install on all machine types that
need the patch before the deployment begins. Such customers might have
a staff of (say, conservatively) under 20 DBAs to manage their
multiple-thousands of server instances; any failure that requires an
on-site visit is a disaster. The testing will partly be functional -
does the product continue to work after the patch is installed with no
detrimental side-effects - and the rest of the testing will be
'operational' - can the patch be installed without wreaking havoc during
installation on all the various classes of machine installed (of
different ages, etc).
It is one reason for trying to keep public disclosure under control;
even if the fix is released the same week that the bug is reported, it
is simply not possible for many (potentially vulnerable) DBMS users to
deploy it to all their field sites in a period of less than 3 months.
Consequently, announcing that a DBMS is vulnerable means that, if an
intruder can get into their systems, they can still be vulnerable for a
long time.
--
Jonathan Leffler (jleffler@xxxxxxxxxxxxx) #include <disclaimer.h>
Guardian of DBD::Informix v2007.0226 -- http://dbi.perl.org/
Other related posts:
