Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 09 Sep 2020 14:49:42 +0000
From: "The Doctor [412/724/301/703/415/510]" <>
To: "" <>
Subject: Re: Open Source Tool | vPrioritization | Risk Prioritization Framework

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, September 8, 2020 6:03 PM, Alex Gaynor <> wrote:

> Oh they have a policy. It says that systems will be patched in a timely
> manner. And then the kind accountants who perform the audits say, "Great
> policy, this is fully compliant, have an ATO and a gold star". And then

I wish I could not confirm this.  In the assignments I was given, this was the rule
and not the exception.

> random things all over the place are not patched at all because federal IT
> departments have astonishly poor automation practices, extremely limited

A lot of that seems to boil down to "You want to run this random piece of software
to automate the job we're paying you to do?  Forget it."  There is also the odd
"We won't run any software that doesn't have <some number of expensive independent
code audits and certifications> and what you want to do doesn't have those (even
though you claim they do, we think you're lying)."

> reuse of systems across distinct projects (contracts) within the agency and

Secure data erasure and platform disposal practices have something to do with this.

> there is nothing approaching a comprehensive way for a federal agency to
> answer "did we deploy the updated struts for all of our stuff".

With a side order of "the contractors we hired for this stuff should be on top of it,"
even when they're not the prime on the contract anymore.

The Doctor [412/724/301/703/415/510]
The old world is dying, and the new world struggles to be born. Now is the time of monsters.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.