[Discuss] CrowdStrike

[kentborg at borg.org (Kent Borg)]

On 7/24/24 11:42, Dale R. Worley wrote:
> I'd love to see (but never will) some big corporation's cost/benefit
> analysis of the Crowdstrike mess -- how much did they save by not
> staging rollout of security patches, how much did they lose from the
> disaster.

A gradual roll out doesn't cost any *money* beyond a little coding to 
implement it, and some awareness of whether things are blowing up and to 
stop the roll out if they are.

No, the cost is in being gradual itself. They want speed, they want to 
race ahead of the bad guys. I bet they have marketing materials that 
tout this speed. Anything that slows it down would be a bug.


> I also wonder how CrowdStrike's automated QA didn't detect this before
> the realease.  I mean "apply patch, 100% BSOD" ought to have been
> noticed!

Remember, "QA" is a dirty word these days. They probably have some tests 
the autorun in some github CI pipeline, or something like that. But 
actually testing on a real machine would take time (not allowed to slow 
things down!), would be work, and would require a QA department, and no 
"best practices", $60B* company is allowed to have a QA department, not 
in 2024!

Probably they had a really complicated test that was supposed to catch 
this, but really complicated tests are themselves buggy. Who tested that 
the test catches the failures it is supposed to test? Not the 
non-existent QA department?


-kb


* They used to be worth somewhat more. More like $80B, if I did my 
arithmetic right.