The CISO at a major convenience store retail chain says it's already working. "Patching was spiralling out of control until recently," he says. "Before, we knew we had a problem because of the sheer volume of patches. We knew we were exposed in a handful of places. The update services coming now from Microsoft, though, have made the situation an order of magnitude better."

Duke University's Rice tested patch management software on 550machines. When the application told him he needed 10,000 patches, he wasn't sure if that was a good thing. "Obviously, it's powerful, but automation leaves you open to automatically putting in buggy patches." Rice might be thinking of the patch that crashed his storage array on a Compaq server. "I need automation to deploy patches," he says. "I do not want automated patch management."

The Patch Less constituency is best represented by Peter Tippett, vice chairman and CTO of TruSecure. Tippett is fanatical about patching's failure. Based on 12 years of actuarial data, he says that only about2 percent of vulnerabilities result in attacks. Therefore, most patches aren't worth applying. In risk management terms, they're at best superfluous and, at worst, a significant additional risk.

Instead, Tippett says, improve your security policy--lock down ports such as 1434 that really had no reason to be open--and pay third parties to figure out which patches are necessary and which ones you can ignore. "More than half of Microsoft's 72 major vulnerabilities last year will never affect anyone ever," says Tippett. "With patching, we're picking the worst possible risk-reduction model there is."

Tippett is at once professorial and constantly selling his own company's ability to provide the services that make patching less viable. But many thoughtful security leaders think Tippett's approach is as flawed and dangerous as automated patch management.