1

I know this question probably doesn't go here. but I dont know which overflow site to use. We have a web server that we use for customers to access our things. Our IT/security team believes it is on my developer to keep the system patched for security/operation reasons. I don't believe a web developer is going to be able to maintain patching efficiently. What are your thoughts on the following?

Should my developers be doing OS patching for security purposes?

Should my developers be responsible for doing scans to check for vulnerabilities?

Should the IT/Sec team be doing scans and notifying the developers that patches are needed?

How do you delineate the responsibilities in your environment?

bart2puck
  • 147
  • 1
  • 7
  • 3
    I believe that if your organization has both sides claiming security isn't their responsibility then you have problems that are far beyond technical in nature. My thoughts are this should be a defined policy on who does it. I dont care who that is. –  Jun 02 '20 at 15:55
  • I flushed out the question a bit. its less who should be responsible, and more who would be better at it/more thorough and efficient? – bart2puck Jun 02 '20 at 15:59
  • 1
    If the server goes down who is responsible? If the server is compromised who is responsible? If the code/site doesn't work who is responsible? – joeqwerty Jun 02 '20 at 16:00
  • Thats what I am trying to understand joeq. down could be 1000 things. bad code, bad OS, no power in colo, internet circuit down. If my devs cant reach the server, are they responsible for trying to troubleshoot why? obviously if code is buggy, its on them, but there seems like there should be a line somewhere between coding and the System the code rides on. – bart2puck Jun 02 '20 at 16:02

1 Answers1

2

Should my developers be doing OS patching for security purposes?

No. This should be handed off to sysadmins. Separation of concerns.

Should the IT/Sec team be doing scans and notifying the developers that patches are needed?

Yes, but only as an assessment of risk. What they should be finding is no patches are needed because they are being installed proactively within the required amount of time. Waiting for a security team to compel you to patch is how to be an Equifax.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81