[Discuss] CrowdStrike
Kent Borg
kentborg at borg.org
Wed Jul 24 15:59:50 EDT 2024
On 7/24/24 11:42, Dale R. Worley wrote:
> I'd love to see (but never will) some big corporation's cost/benefit
> analysis of the Crowdstrike mess -- how much did they save by not
> staging rollout of security patches, how much did they lose from the
> disaster.
A gradual roll out doesn't cost any *money* beyond a little coding to
implement it, and some awareness of whether things are blowing up and to
stop the roll out if they are.
No, the cost is in being gradual itself. They want speed, they want to
race ahead of the bad guys. I bet they have marketing materials that
tout this speed. Anything that slows it down would be a bug.
> I also wonder how CrowdStrike's automated QA didn't detect this before
> the realease. I mean "apply patch, 100% BSOD" ought to have been
> noticed!
Remember, "QA" is a dirty word these days. They probably have some tests
the autorun in some github CI pipeline, or something like that. But
actually testing on a real machine would take time (not allowed to slow
things down!), would be work, and would require a QA department, and no
"best practices", $60B* company is allowed to have a QA department, not
in 2024!
Probably they had a really complicated test that was supposed to catch
this, but really complicated tests are themselves buggy. Who tested that
the test catches the failures it is supposed to test? Not the
non-existent QA department…
-kb
* They used to be worth somewhat more. More like $80B, if I did my
arithmetic right.
More information about the Discuss
mailing list