[ISN] Security patch RFP delayed

From: InfoSec News (isnat_private)
Date: Tue Sep 04 2001 - 02:20:06 PDT

Next message: InfoSec News: "[ISN] FBI warns as Unix web server flaw gets automated"

Previous message: InfoSec News: "[ISN] [Review] Real World Linux Security: Intrusion Prevention, Detection, and Recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.fcw.com/fcw/articles/2001/0827/web-rfp-08-30-01.asp

By Diane Frank 
Aug. 30, 2001 

The Federal Computer Incident Response Center is delaying its
solicitation for a system that will automatically send out security
patches to civilian agencies in order to expand the types of software
that will be covered, officials said this week.

FedCIRC started working on the idea for an automated patch
dissemination system late last year and planned to release a request
for proposals by the end of August. But comments from agencies and
industry revealed a feeling that the original RFP was too narrow
because it focused only on operating systems, said Lawrence Hale,
liaison director at FedCIRC.

"We need to broaden the scope of it somewhat," Hale said.

The rewrite, based on many agency requests, should be done in time to
allow FedCIRC to release the RFP before the end of September. It will
include patches for many of the standard applications used across
government as well as for the commonly-used operating systems, he
said.

"Weve learned a lot about whats out there, and the capability of the
vendors has improved," he said.

The idea behind the system is to raise the basic level of federal
security by making it easier for agencies to fix vulnerabilities in
commercial products.

Studies have shown that attackers continue to use the same
vulnerabilities to get into systems, as in the case of the Code Red
worm, because the administrators have not put on readily available
software patches. But the same studies show that administrators are
often simply overwhelmed by the sheer number of patches available, or
they do not even realize that a vulnerability or a patch exists.

Using the patch dissemination system, agencies would be able to submit
and update a profile of their operating systems and applications. This
way, system administrators would only get the patches that apply to
their network configuration.

"We recognize this as a strong need within government," Hale said. "We
think it will really help the posture overall and establish a
baseline."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] FBI warns as Unix web server flaw gets automated"
Previous message: InfoSec News: "[ISN] [Review] Real World Linux Security: Intrusion Prevention, Detection, and Recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 05:56:33 PDT