Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Of course, disabling those auto updates will have you fail the external security audit and now your security team needs to fight with the rest of the leadership in the company explaining why you're generating needless delays, costs against the "state of the art in security industry" and why your security guys are smarter than the people who have the power to approve or deny your security certification.


I've taken part in some security audits where I work. They're not a joke only because they're a tragic story of incompetence, hubris, and rubberstamping. They 100% focus on checking boxes and cargo-culting, while leaving enormous vulnerabilities wide open.


> you fail the external security audit

aka, you fail the cover-your-ass security, rather than actual security.


yep, but "trust us, we're secure, pinky promise by our internal employees" doesn't really work either.


Don't forget the press releases all saying "We take security very seriously!"


Employees would rather care for their employment and keeping boss happy rather than going against their orders.


What I don't understand is why they don't have a canary update process. Server side deployments do this all the time. You would think Windows would offer that to their institutional customers, for all types of updates including (especially) 3rd party.


This isn't a Windows update (which absolutely does let you do blue/green deployments vis SUS), but rather a Crowdstrike update which also lets you stage rollouts and I expect several administrators are finding out why that is important.


I know about update policies, but afaik those are about the “agent” version. Today’s update doesn’t look like an agent version. The version my box is running was released something like a week ago.

Is there some possibility tu stage rollouts of the other stuff it seems to download?


I have been in these audits and nowhere does it say that software has to be 'auto updated', this is a ridiculous statement and requirement.

What a proper audit will look for is a update and testing control with supporting evidence.


Sounds like your employer has better auditing processes than most places.


Or lose IT/security insurance for not installing or disabling it.


Well, let’s see how much insurance companies will pay now


It’s not about whether they pay out, large enough customers demand you have insurance as a condition of sale. It’s cover your arse all the way down!


Kind of a big thing most people don't understand about the various forms of "Business Insurance." For the most part, businesses have whatever insurance whatever they are doing requires them to have. Those requirements are set by laws/regulations applied to those entities and the various entities they want to do business with.

At every small shop I've worked when the topic of Business Insurance came up with one of the owners, the response was extremely negative -- basically summarized as "it's the most you will ever pay for something you won't ever be able to use".


Yep, it’s pretty much a toll on doing business with entities. I’ve no doubt the intention is so your customer can sue you without you winding up, whether it actually works… no idea.


Why do we call managers "leaders" now? That's not what they are.


Well. Now you have something to point to. Next RFO you can ignore the blameless part and point to a executive override of a technical decision.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: