Follow

- $NEW_JOB Security Guy: We harden all our systems before client delivery!

- Me: Cool! But what happens if you need to apply an update that is tripped by the hardening?

- Security Guy: We don't update our hardened systems! That's why our systems are hardened.

- Me: You... don't update... your systems?

- Security Guy: Nope!

- Me: Ever?

- Security Guy: Ever. They stay that way for the duration of the project.

- Me: Which is...?

- Security Guy: Usually 10 years. 🤦‍♂️

· · Web · 4 · 3 · 8
@ParadeGrotesque I had to read that twice...how is he a security guy if he's ok with not updating a system for 10 years...even I know that's a VERY bad idea...

@mgrondin

I know. I am going to have a little chat with the security guy and his boss soon. I'll let you know how it goes.

(Narrator: "It did not go well")

@mgrondin @ParadeGrotesque that sounds like the usual conflict between security and safety.

One wants a well known state of the system that is tested inside out to guarantee it's behavior.

The other wants to easily upgrade to fix bugs and vulnerabilities.

@bekopharm

The two are not exclusive of each other. It is quite common, even in high-security systems, to temporarily "degrade" or "deactivate" security measures to allow updates to proceed.

Once updated, the original security configuration of the system is re-applied and the system is locked down again.

See securelevel(7) for instance:

man.openbsd.org/man7/securelev

@mgrondin

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko