Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

3rd party patching

Posted on 2011-03-15
1
257 Views
Last Modified: 2012-08-13
Has anyone established any acceptable policies around 3rd party suppliers and patch management? For example, let’s say 3rd party “Systems Ltd” develops you a payroll application called “payapp” that runs on red hat linux platform, is driven by an oracle database and the web service is apache. Your environment is hosted by another 3rd party, let’s call them “a support” who are responsible in the contract for patch management but typically this is windows related patching via WSUS, and doesn’t extend to apache, linux, oracle unless specified in the contract.

So we run a vulnerability scanner like Nessus or whatever, and it flags up numerous missing security patches on the web and data server, missing patches for everything, red hat, oracle database and apache. And then it comes down to who is to blame.

Typically we get a response from the application developers saying we only support the application on a certain “patch set”, which I assume means if “ a support” start patching Oracle to cover all latest security issues, and then the app all of a sudden starts going wappy and not working, “Systems Ltd” aren’t to blame and “a support” are. But, if “Systems Ltd” only support their app on a specific patch set and thus new vulnerabilities are found in say Oracle or Red Hat or Apache, if they aren’t patched they and the application they serve are “vulnerable”.

So what to do in such a situation? Do you allow apps to run on unsupported/unpatched infrastructure knowing it will operate fine? Or do you have to meet in the middle somewhere? Also, is this kind of scenario common? I assume all of you have apps developed by some 3rd party based on a specific technology stack? Are vulnerabilities found in database level products like Oracle typically seen as “low risk” and “low liklehood” of compromise, where missing apache patches seen as “higher risk”, and “higher liklehood” of compromise?
0
Comment
Question by:pma111
1 Comment
 
LVL 31

Accepted Solution

by:
farzanj earned 250 total points
ID: 35137793
On RedHat, the RedHat recommended policy is to create new RPMS.  In the process you creating new RPMS, you put the patch files, which are merged together by the RPM creation process.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
Articles on a wide range of technology and professional topics are available on Experts Exchange. These resources are written by members, for members, and can be written about any topic you feel passionate about. Learn how to best write an article t…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question