On 7/24/24 11:42, Dale R. Worley wrote:
I'd love to see (but never will) some big corporation's cost/benefit
analysis of the Crowdstrike mess -- how much did they save by not
staging rollout of security patches, how much did they lose from the
disaster.
A gradual roll out doesn't cost any *money* beyond a little coding to
implement it, and some awareness of whether things are blowing up and to
stop the roll out if they are.
No, the cost is in being gradual itself. They want speed, they want to
race ahead of the bad guys. I bet they have marketing materials that
tout this speed. Anything that slows it down would be a bug.
I also wonder how CrowdStrike's automated QA didn't detect this before
the realease. I mean "apply patch, 100% BSOD" ought to have been
noticed!
Remember, "QA" is a dirty word these days. They probably have some tests
the autorun in some github CI pipeline, or something like that. But
actually testing on a real machine would take time (not allowed to slow
things down!), would be work, and would require a QA department, and no
"best practices", $60B* company is allowed to have a QA department, not
in 2024!
Probably they had a really complicated test that was supposed to catch
this, but really complicated tests are themselves buggy. Who tested that
the test catches the failures it is supposed to test? Not the
non-existent QA department…
-kb
* They used to be worth somewhat more. More like $80B, if I did my
arithmetic right.
_______________________________________________
Discuss mailing list
Discuss@driftwood.blu.org
https://driftwood.blu.org/mailman/listinfo/discuss
