Currently, the most widespread means of preventing intrusions is patching, and it's failing miserably. The number of security incidents reported to CERT has grown exponentially over the past six years, reaching an all-time high of 137,529 in 2003, which was also the year that the Blaster and MS-SQL Slammer worms caused widespread devastation. Patch management seeks to address these issues through automation that lets patches be installed rapidly and without Herculean human effort. But patch management  is of limited benefit. Consider the following:

•  Faulty patches can bring down critical servers and cost more to an organization than a security breach. This is an all-too-common scenario: An analysis by WireX Communications and Zero Knowledge Systems indicates that one-fifth of all new patches are revised. Hence, it is very risky to immediately deploy a patch without thorough regression testing to make sure the patch will not cause damage.

•  Sometimes vendors do not develop a patch because they mistakenly regard a vulnerability as unimportant or they do not have the time and resources to do so. As of June 2003, there were 19 unpatched vulnerabilities in Microsoft's Internet Explorer. Many of these were serious and resulted in costly breaches and inconvenience to users.

•  Some vulnerabilities cannot be fixed by patching. Patch management will not correct vulnerabilities caused by misconfiguration, such as default settings that allow access to systems that should be restricted.

•  Vendors cannot develop a patch if they are unaware of the vulnerability. Most vulnerabilities are discovered by non-vendor third parties. Legitimate researchers follow responsible-disclosure guidelines, giving vendors time to develop patches before announcing vulnerabilities. Unfortunately, some parties release vulnerability information without informing vendors beforehand. In these cases, patch management is useless because it only can protect against vulnerabilities the vendor knows about well before the attackers.

•  New hacker tools are reducing the patching window. These tools let attackers automatically reverse-engineer a patch to determine what was fixed and develop an exploit, sometimes within hours of patch release. Even using patch management, deployment speed is constrained by regression testing.