

When Vulnerability Patches Don't Fix the Problem - bretthardin
http://blog.sourceninja.com/when-vulnerability-patches-dont-fix-the-problem/

======
deadman1204
I think its just a commercial

~~~
bretthardin
We wanted to build a product that helps people get information about the
security issues that affect their apps and servers specifically.

Information security has problems getting everyone to know about the security
patch when it is pushed. We wanted to address the issue to help everyone be
more secure.

~~~
darklajid
How?

I cannot judge the service, I don't use it and never saw it before. But the
problem you describe isn't solved by your 'pay to be notified' solution. That
samba installation in a small company, done 3 years ago by an intern/student?
It won't be fixed. My gut feeling (aka no evidence) says that most
installations will be on the small scale, one off. You are offering a service
for people who care already - or learned to care.

In other words: It seems to me as if you cater to people that are already on
the relevant mailing lists. But maybe you make their life easier..?

~~~
bretthardin
We have a free plan also, so everyone can get notified of the issue.

The change won't happen overnight, but if there are tools available that help
organizations run more secure software, without false positives, doesn't it
benefit everyone?

~~~
darklajid
Yes. But your tools are just nicer versions of existing ways to care, no?

The AWARENESS problem persists as far as I can tell?

~~~
jerf
They are trying to solve the awareness problem for their customers. They are
not trying to solve the awareness problem for the whole world. (Since this is
impossible, I do not hold it against them.) You do not have them caught in a
contradiction.

~~~
darklajid
I do not want to be 'right' or 'catch' anyone. I try to question and
understand.

That said, my parser did find some claim to improve the whole world ('benefit
everyone') in the explanation. Nothing bad about that goal either

------
mkonda
I need this. As a dev, I want to know whether my dependencies are vulnerable.

~~~
bretthardin
Glad to hear.

------
bretthardin
What do you guys think? Do you think that distribution of patch information is
a problem?

