Solved

3rd party patching

Posted on 2011-03-15
1
255 Views
Last Modified: 2012-08-13
Has anyone established any acceptable policies around 3rd party suppliers and patch management? For example, let’s say 3rd party “Systems Ltd” develops you a payroll application called “payapp” that runs on red hat linux platform, is driven by an oracle database and the web service is apache. Your environment is hosted by another 3rd party, let’s call them “a support” who are responsible in the contract for patch management but typically this is windows related patching via WSUS, and doesn’t extend to apache, linux, oracle unless specified in the contract.

So we run a vulnerability scanner like Nessus or whatever, and it flags up numerous missing security patches on the web and data server, missing patches for everything, red hat, oracle database and apache. And then it comes down to who is to blame.

Typically we get a response from the application developers saying we only support the application on a certain “patch set”, which I assume means if “ a support” start patching Oracle to cover all latest security issues, and then the app all of a sudden starts going wappy and not working, “Systems Ltd” aren’t to blame and “a support” are. But, if “Systems Ltd” only support their app on a specific patch set and thus new vulnerabilities are found in say Oracle or Red Hat or Apache, if they aren’t patched they and the application they serve are “vulnerable”.

So what to do in such a situation? Do you allow apps to run on unsupported/unpatched infrastructure knowing it will operate fine? Or do you have to meet in the middle somewhere? Also, is this kind of scenario common? I assume all of you have apps developed by some 3rd party based on a specific technology stack? Are vulnerabilities found in database level products like Oracle typically seen as “low risk” and “low liklehood” of compromise, where missing apache patches seen as “higher risk”, and “higher liklehood” of compromise?
0
Comment
Question by:pma111
1 Comment
 
LVL 31

Accepted Solution

by:
farzanj earned 250 total points
ID: 35137793
On RedHat, the RedHat recommended policy is to create new RPMS.  In the process you creating new RPMS, you put the patch files, which are merged together by the RPM creation process.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ensuring effective and secure communication in the age of healthcare BYOD.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question