- $NEW_JOB Security Guy: We harden all our systems before client delivery!
- Me: Cool! But what happens if you need to apply an update that is tripped by the hardening?
- Security Guy: We don't update our hardened systems! That's why our systems are hardened.
- Me: You... don't update... your systems?
- Security Guy: Nope!
- Me: Ever?
- Security Guy: Ever. They stay that way for the duration of the project.
- Me: Which is...?
- Security Guy: Usually 10 years. 🤦♂️
I know. I am going to have a little chat with the security guy and his boss soon. I'll let you know how it goes.
(Narrator: "It did not go well")
@mgrondin @ParadeGrotesque that sounds like the usual conflict between security and safety.
One wants a well known state of the system that is tested inside out to guarantee it's behavior.
The other wants to easily upgrade to fix bugs and vulnerabilities.
The two are not exclusive of each other. It is quite common, even in high-security systems, to temporarily "degrade" or "deactivate" security measures to allow updates to proceed.
Once updated, the original security configuration of the system is re-applied and the system is locked down again.
See #openbsd securelevel(7) for instance:
@ParadeGrotesque run away screaming
