Shostack + Friends Blog Archive


Patch Management

Alec Muffet comments on sysadmin resistance to applying patches.
As Steve Beattie and a bunch of others of us wrote about the issue is that there’s a tradeoff to be made to find the optimal uptime for a system. Its a tradeoff between a security risk and an operational risk.
Organizationally, different teams are often measured on different parts of the risk, making a holistic view harder. Vendors need to work to make sure each patch is a smaller change. Roll-ups are nice, but roll-ups naturally combine all of the risks of all of the small changes. (SP2 is risky because of the number of changes that it makes to the OS, and riskier because some of them are new, not rolled-up changes.) Now, I’m not suggesting that the right thing to do is to release each change as a seperate patch, but vendors need to address the fear of messing up their system that people have. One way to do that would be to focus on a good, high-assurance roll-out/roll-back mechanism as part of the operating system.

2 comments on "Patch Management"

Comments are closed.