Sizing up the great patch debate

The three distinct vendor groups we invited to participate in our online debate "How best to patch?" struggled to distinguish themselves in our forum last week (see the whole debate).

All but one argued that patching is part of something bigger. As could be expected, Altiris and Configuresoft tried to convince us that patching is part of the broader effort of tending to systems. "Patch management is simply the tip of the iceberg when it comes to proper configuration management," Configuresoft said.

And with their security roots, Symantec and Citadel told us we patch systems because we are trying to alleviate security concerns, so approaching the problem from that vantage point is wisest. In Citadel's words: "Patch management is a reactive response to external risks and is inadequate because it only addresses software defects which represent 20% to 30% of the critical system and network vulnerabilities in IT environments. . . . Enterprise vulnerability management is a more proactive and holistic approach."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The three distinct vendor groups we invited to participate in our online debate "How best to patch?" struggled to distinguish themselves in our forum last week (see the whole debate).

All but one argued that patching is part of something bigger. As could be expected, Altiris and Configuresoft tried to convince us that patching is part of the broader effort of tending to systems. "Patch management is simply the tip of the iceberg when it comes to proper configuration management," Configuresoft said.

And with their security roots, Symantec and Citadel told us we patch systems because we are trying to alleviate security concerns, so approaching the problem from that vantage point is wisest. In Citadel's words: "Patch management is a reactive response to external risks and is inadequate because it only addresses software defects which represent 20% to 30% of the critical system and network vulnerabilities in IT environments. . . . Enterprise vulnerability management is a more proactive and holistic approach."

Even BigFix, which we had put in the pure-play patch bucket, argued that patch management has to be part of a grander scheme. It tries to keep a foot in both the configuration and security camps by saying patching is part of configuration and security management.

Only Shavlik Technologies argued for the pure-play approach, saying a singular focus is necessary because the problem is so difficult. "Patch management is an arduous task and requires detailed patch analysis and testing to ensure networks are protected from vulnerabilities," it said. In an effort to bolster its argument, Shavlik says other vendors - including Microsoft, Symantec and NetIQ - use its technology in their patch solutions.

But if you don't need other pieces to fill in the patch puzzle, why would you buy a patching tool from these other vendors instead of directly from Shavlik?

All this talk of management, of course, raises the question of how the big enterprise management vendors fit in.

When we opened the debate to the public on Wednesday (up to that point it was a private debate among the vendors, our staff and guest expert Felicia Nicastro, from International Network Services), management heavyweight Computer Associates waded in. CA views patching as part of vulnerability management and offers an appliance and a service to cover the bases.

While there was no clear winner in the debate, it's hard to walk away without viewing patching as simply part of something else. Whether it is best built into configuration or security management probably depends on the nature of your business.

Read more about security in Network World's Security section.