On Feb 23, 2011, at 10:23 PM, John R Pierce <pierce at hogranch.com> wrote: > On 02/23/11 6:08 PM, Machin, Greg wrote: >> >> Hi. >> >> I have had an enquiry from the Network and Security guy. He wants to >> know why CentOS 5.5 /RHEL 5 is using a very old version of bind >> “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many >> security fixes is on 9.7.3 . I understand that its to maintain a known >> stable platform by in introducing new elements etc .. Is there an >> official explanation / document that I can direct him to. >> >> > > to put it bluntly, your security guy is pretty much worthless as such if > he thinks security is audited by checking version numbers. > > sadly, this is too common. Let's face it most auditors these days are just accountants with Infosys Mgmt text books. The ridiculously high levels of regulations has created a demand for auditors that can no longer be filled by competent IT skilled auditors. Oh well these are the days. -Ross