Done patching your Windows system against the Blaster worm? Then you’ll have the time to read this piece from CSO Online: “Patch and Pray.” It uses the saga of the Microsoft SQL Server “Slammer” worm from last winter to explore why and how the whole patching process has gone astray.
As the volume and complexity of software increases, so does the volume and complexity of patches. The problem with this, says SEI’s Hernan, is that there’s nothing standard about the patch infrastructure or managing the onslaught of patches…
There are two emerging and opposite patch philosophies: Either patch more, or patch less. Vendors in the Patch More school have, almost overnight, created an entirely new class of software called patch management software. The term means different things to different people (already one vendor has concocted a spinoff, “virtual patch management”), but in general, PM automates the process of finding, downloading and applying patches. Patch More adherents believe patching isn’t the problem, but that manual patching is…. The Patch Less constituency is best represented by Peter Tippett, vice chairman and CTO of TruSecure. Tippett is fanatical about patching’s failure. Based on 12 years of actuarial data, he says that only about 2 percent of vulnerabilities result in attacks. Therefore, most patches aren’t worth applying. In risk management terms, they’re at best superfluous and, at worst, a significant additional risk. |
Oh yes, this is the year after Bill Gates declared the crash “Trustworthy Computing” initative.
Post Revisions:
There are no revisions for this post.