Anyone seen any solid research on third party software support? (or even vacuous research?) What do we know about the scale, scope, and focus of the industry? Anyone know any experts? Or even have some experience with vendors?
Conversation
Notices
-
Embed this notice
Allan Friedman (allanfriedman@infosec.exchange)'s status on Friday, 22-Nov-2024 00:39:53 JST 
Allan Friedman
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Friday, 22-Nov-2024 00:39:52 JST 
Josh Bressers
@allanfriedman I don't understand what you mean by "3rd party software support"
-
Embed this notice
kurtseifried (he/him) (kurtseifried@infosec.exchange)'s status on Friday, 22-Nov-2024 00:41:26 JST 
kurtseifried (he/him)
@joshbressers @allanfriedman I'm guessing the whole "we didn't make it but we try to support it", so literally every MSP on the planet trying to fix your messed up Windows network.....
-
Embed this notice
Allan Friedman (allanfriedman@infosec.exchange)'s status on Friday, 22-Nov-2024 00:49:08 JST
Allan Friedman
building on my RSA talk https://www.rsaconference.com/USA/agenda/session/All%20Good%20Things%20End%20of%20Life%20and%20End%20of%20Support%20in%20Policy%20and%20Practice
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Friday, 22-Nov-2024 00:49:08 JST
Josh Bressers
@allanfriedman @kurtseifried I have minimal experience with the closed source universe, but this is sort of the commercial Linux distribution model
Folks like Red Hat, Suse, and Canoncial support open source they didn't write, sometimes for a decade
Long after the upstream has given up on those versions
-
Embed this notice
Allan Friedman (allanfriedman@infosec.exchange)'s status on Friday, 22-Nov-2024 00:49:09 JST
Allan Friedman
@kurtseifried @joshbressers in particular, paid support for commercial software that is no longer supported by the OEM.
("support" is another challenge)
-
Embed this notice
kurtseifried (he/him) (kurtseifried@infosec.exchange)'s status on Friday, 22-Nov-2024 00:50:45 JST
kurtseifried (he/him)
@joshbressers @allanfriedman 13 years. https://access.redhat.com/support/policy/updates/errata
Although to be honest the extended life phase support is for stuff like shellshock, think low single digit patches per year, not a steady stream (unless something has changed, I imagine it hasn't).
-
Embed this notice
kurtseifried (he/him) (kurtseifried@infosec.exchange)'s status on Friday, 22-Nov-2024 01:21:56 JST
kurtseifried (he/him)
@allanfriedman @joshbressers Don't forget the weird sub group of companies offering binary patches for Windows either solving issues the vendor hasn't yet, or providing "non reboot" fixes:
0patch: Operated by Acros Security, 0patch specializes in delivering "micropatches"—small, in-memory fixes for software vulnerabilities. They have addressed various Windows security issues, including the SMBGhost vulnerability, before Microsoft's official patches were released. Additionally, 0patch has extended support for Windows versions beyond their official end-of-life dates by providing security patches for Windows 7 and plans to do the same for Windows 10 after its support ends in October 2025.
https://www.techspot.com/news/103593-windows-10-get-five-extra-years-support-courtesy.htmlthere's others as well, Shavlik, I can't recall any other names. Also a bunch in the Linux space, like KernelCare.
-
Embed this notice
Allan Friedman (allanfriedman@infosec.exchange)'s status on Friday, 22-Nov-2024 01:21:56 JST
Allan Friedman
definitely tracking RH, etc.
Is there a better term for what I'm describing for proprietary SW?
And Kurt - been intrigued by 0patch and other shim solutions since meeting @mkolsek years ago at RSA. Super cool idea. (except it does extreme violence to a lot of assumed trust models...)
-
Embed this notice
Josh Bressers (joshbressers@infosec.exchange)'s status on Friday, 22-Nov-2024 01:21:56 JST
Josh Bressers
@allanfriedman @kurtseifried @mkolsek
In the analog world, I would probably bucket this into the "aftermarket" category, but it still a bit different
-
Embed this notice
All GNU social JP content and data are available under the