tag:blogger.com,1999:blog-37798047.post4386329709945497344..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: A Call for Better Vulnerability ResponseDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-37798047.post-73279160535202332992015-01-19T13:09:11.492-05:002015-01-19T13:09:11.492-05:00"Google uses modern "agile" process..."Google uses modern "agile" processes to develop software. That means that after making a change, the new software is tested automatically and shipped to customers within 24 hours. Microsoft is still mired in antiquated 1980s development processes, so that it takes three months and expensive manual testing before a change is ready for release. Google's standard doesn't affect everyone equally -- it hits old vendors like Microsoft the hardest."<br /><br />Man, what BS! Where do you get this stuff?Unknownhttps://www.blogger.com/profile/15841907673689807959noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-82615703261998051222015-01-13T14:42:58.244-05:002015-01-13T14:42:58.244-05:00I liked most of your article. I would even suggest...I liked most of your article. I would even suggest that the 90 day delay is overly generous. I would rather have the information of all the unpatched vulnerabilities that exist in my systems, then take make an informed decision to continue using those systems or not. For Google to extend its time beyond 90 days would be irresponsible to the general public, IMHO.<br /><br />However, your depiction of "agile" is a little bit overstated. Microsoft *does* do agile, and is doing more. However, a 24 hour continuous deployment cycle can be unrealistic, especially with acceptance and performance tests that may take more than 24 hours to complete! <br /><br />In the agile teams I've worked on, we release a fully tested product version at the end of every sprint (2-4 weeks). That 24 hour cycle of CD works great for websites, but testing operating systems is vastly more complex and time consuming; a 24 hour cycle just isn't realistic, IMHO.AnObfuscatorhttps://www.blogger.com/profile/02986806374929161807noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-24595670243048431712015-01-13T12:32:03.678-05:002015-01-13T12:32:03.678-05:00This comment has been removed by the author.JimTomhttps://www.blogger.com/profile/04979562142052838337noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-87695116457672686952015-01-12T13:16:33.959-05:002015-01-12T13:16:33.959-05:00"policy is fairly simple, we provide vendors ..."policy is fairly simple, we provide vendors with information about the flaw, and after 15 days communicate the vulnerability information to CERT. CERT has a fixed 45-day disclosure that results in the report-to-advisory period taking approximately 60 days. As a courtesy, I usually wait 30 days from the release of the advisory to adding the exploit to the Metasploit Framework."drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.com