[ISN] Patch system in the works

From: InfoSec News (isnat_private)
Date: Tue Mar 26 2002 - 00:34:35 PST

  • Next message: InfoSec News: "[ISN] UniNet InfoSec Conference"

    By Diane Frank 
    March 25, 2002
    The General Services Administration expects to award a contract today
    to a team led by Science Applications International Corp. to set up a
    governmentwide system to notify agencies about security holes in
    commercial software products and the availability of patches to fix
    The security patch dissemination system is seen as critical to the
    security of government operations. People who create computer viruses
    or hack into Web sites frequently do so by exploiting small flaws in
    operating systems or applications.
    In many cases, security patches  small blocks of code  are available
    online from vendors or popular security organizations, but agencies
    often do not know about, seek or apply patches until it is too late.
    The $1.5 million, one-year task order expected to be awarded via the
    GSA Safeguard contract will enable agencies to get notification about
    patches from commercial software vendors for systems on their
    "This will help agencies correct what, to me, is one of the largest
    problems that exists," said Sallie McDonald, GSA's assistant
    commissioner for information assurance and critical infrastructure
    Agency officials whom GSA's Federal Computer Incident Response Center
    (FedCIRC) talked to last week were "very excited" about the award,
    McDonald said.
    Security officials at the Office of Management and Budget and other
    federal organizations have encouraged agencies to address the patch
    problem. However, they admit that most systems administrators are
    simply overwhelmed by the number of patches issued for their own
    systems, much less those for systems they do not even use.
    Using the new system, administrators will be able to provide SAIC and
    its subcontractor, Vigilinx Inc., with a profile of their network
    systems, McDonald said. This will ensure that they receive only the
    patches that apply to their systems.
    The system, hosted on the FedCIRC Web site, will give systems
    administrators a single point for all patches, said Gene Hunt,
    corporate vice president of SAIC's system security and engineering
    operation. The SAIC team will provide patches and test whether they
    actually work, he said.
    The team also will use the system to alert subscribers about potential
    vulnerabilities and, when possible, tell them what steps they can take
    to address problems before a patch is available. Once a patch is
    available, the SAIC team will notify subscribers, test the patch, then
    tell subscribers it is available via download.
    The system also will improve security management by listing for
    managers the available patches and which ones their systems
    administrators have downloaded, Hunt said. When a patch is downloaded,
    the system also will automatically send an e-mail to FedCIRC, he said.
    SAIC will start marketing the service to agencies this week, and it
    should be fully operational in June, McDonald said. GSA is paying for
    the full cost of the system and service, so it is free for agencies.
    "It's really going to help them do their jobs better," she said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 04:10:49 PST