• United States

No more on the patch debate, please!

Mar 03, 20033 mins
Enterprise ApplicationsSecurity

* Dave's very last word on patch management (until the autumn, at least)

Last week, I promised that I had given my last word on patch management products for at least six months. I was hoping that you, dear reader, would take the hint. I don’t want to hear about patch management schemes, patch management services, patch management applications or patch management horror stories (well, unless they’re really funny) for another six months.

For a couple of days, “patch management” was the No. 1 subject in my inbox, far surpassing the get-rich-quick and get-porn-now e-mails put together. It seems that just about every software vendor, software engineer, and hacker who ever wrote “Hello World!” on a computer monitor has also written a patch management application, service or system and they all wanted to be sure I knew about it. Their spouses and children wanted to be sure I knew. So did their cousins and their neighbors.

Surprisingly, though, there appears to be lots of resistance to the sorts of automated patch management systems I talked about.

Resistance generally takes two forms: homegrown systems and manual systems. I heard from a few folks who still hold to a “if it ain’t broke, don’t fix it” philosophy. That may have served us in good stead during the 1980s but in the complex, interconnected technology world of today it’s simply no longer tenable. A better aphorism for today’s patching philosophy should be “don’t wait until the horse has gone before you bar the barn door.”

Users touting homegrown systems point to price as their biggest concern – they see no reason to pay for something they can do themselves (I wonder if they ever eat in restaurants?). They don’t seem to realize that (another aphorism) “time IS money”. If your network is running so smoothly that you can take the time to fashion patch management services perhaps you’ve got too many people in your department – or perhaps you’re seriously underestimating what needs to be done in patch management.

I have some sympathy from those who hold out against the automatic nature of most patch-management apps and services. It’s true that no two network systems are identical – there are hardware and software differences aplenty. Mindless patching of all possible systems can lead to huge headaches when something goes wrong and the entire network grinds to a halt. But most current systems don’t work that way (although lots of those “homegrown” ones do).

Typically, the automatic systems will first inform you that a patch is available, then install it in a test situation. Only once you’re satisfied that everything is OK will you deploy the patch throughout the network. That deployment isn’t mindless either, as you can usually filter based on the numerous conditions, which systems will be patched at any given time. This allows you to choose the most vulnerable or the least risky to begin with and then move in an orderly manner to the balance of the network.

While I’m always happy to hear from you – and I welcome suggestions of topics for upcoming newsletters – please think twice before sharing your patch management methods, at least until the autumn. Thank you. Thank you, very much.