Solved

3rd party patching

Posted on 2011-03-15
1
251 Views
Last Modified: 2012-08-13
Has anyone established any acceptable policies around 3rd party suppliers and patch management? For example, let’s say 3rd party “Systems Ltd” develops you a payroll application called “payapp” that runs on red hat linux platform, is driven by an oracle database and the web service is apache. Your environment is hosted by another 3rd party, let’s call them “a support” who are responsible in the contract for patch management but typically this is windows related patching via WSUS, and doesn’t extend to apache, linux, oracle unless specified in the contract.

So we run a vulnerability scanner like Nessus or whatever, and it flags up numerous missing security patches on the web and data server, missing patches for everything, red hat, oracle database and apache. And then it comes down to who is to blame.

Typically we get a response from the application developers saying we only support the application on a certain “patch set”, which I assume means if “ a support” start patching Oracle to cover all latest security issues, and then the app all of a sudden starts going wappy and not working, “Systems Ltd” aren’t to blame and “a support” are. But, if “Systems Ltd” only support their app on a specific patch set and thus new vulnerabilities are found in say Oracle or Red Hat or Apache, if they aren’t patched they and the application they serve are “vulnerable”.

So what to do in such a situation? Do you allow apps to run on unsupported/unpatched infrastructure knowing it will operate fine? Or do you have to meet in the middle somewhere? Also, is this kind of scenario common? I assume all of you have apps developed by some 3rd party based on a specific technology stack? Are vulnerabilities found in database level products like Oracle typically seen as “low risk” and “low liklehood” of compromise, where missing apache patches seen as “higher risk”, and “higher liklehood” of compromise?
0
Comment
Question by:pma111
1 Comment
 
LVL 31

Accepted Solution

by:
farzanj earned 250 total points
Comment Utility
On RedHat, the RedHat recommended policy is to create new RPMS.  In the process you creating new RPMS, you put the patch files, which are merged together by the RPM creation process.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now