[ISN] Security patch RFP delayed

From: InfoSec News (isnat_private)
Date: Tue Sep 04 2001 - 02:20:06 PDT

  • Next message: InfoSec News: "[ISN] FBI warns as Unix web server flaw gets automated"

    By Diane Frank 
    Aug. 30, 2001 
    The Federal Computer Incident Response Center is delaying its
    solicitation for a system that will automatically send out security
    patches to civilian agencies in order to expand the types of software
    that will be covered, officials said this week.
    FedCIRC started working on the idea for an automated patch
    dissemination system late last year and planned to release a request
    for proposals by the end of August. But comments from agencies and
    industry revealed a feeling that the original RFP was too narrow
    because it focused only on operating systems, said Lawrence Hale,
    liaison director at FedCIRC.
    "We need to broaden the scope of it somewhat," Hale said.
    The rewrite, based on many agency requests, should be done in time to
    allow FedCIRC to release the RFP before the end of September. It will
    include patches for many of the standard applications used across
    government as well as for the commonly-used operating systems, he
    "Weve learned a lot about whats out there, and the capability of the
    vendors has improved," he said.
    The idea behind the system is to raise the basic level of federal
    security by making it easier for agencies to fix vulnerabilities in
    commercial products.
    Studies have shown that attackers continue to use the same
    vulnerabilities to get into systems, as in the case of the Code Red
    worm, because the administrators have not put on readily available
    software patches. But the same studies show that administrators are
    often simply overwhelmed by the sheer number of patches available, or
    they do not even realize that a vulnerability or a patch exists.
    Using the patch dissemination system, agencies would be able to submit
    and update a profile of their operating systems and applications. This
    way, system administrators would only get the patches that apply to
    their network configuration.
    "We recognize this as a strong need within government," Hale said. "We
    think it will really help the posture overall and establish a
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 05:56:33 PDT