- $NEW_JOB Security Guy: We harden all our systems before client delivery!
- Me: Cool! But what happens if you need to apply an update that is tripped by the hardening?
- Security Guy: We don't update our hardened systems! That's why our systems are hardened.
- Me: You... don't update... your systems?
- Security Guy: Nope!
- Me: Ever?
- Security Guy: Ever. They stay that way for the duration of the project.
- Me: Which is...?
- Security Guy: Usually 10 years. 🤦♂️
I know. I am going to have a little chat with the security guy and his boss soon. I'll let you know how it goes.
(Narrator: "It did not go well")
The two are not exclusive of each other. It is quite common, even in high-security systems, to temporarily "degrade" or "deactivate" security measures to allow updates to proceed.
Once updated, the original security configuration of the system is re-applied and the system is locked down again.
See #openbsd securelevel(7) for instance:
"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko