Patch and Pray

Von Scott Berinato

Slammer was unstoppable. Which points to a bigger issue: Patching no longer works. Partly, it's a volume problem. There are simply too many vulnerabilities requiring too many combinations of patches coming too fast. Picture Lucy and Ethel in the chocolate factory--just take out the humor.

But perhaps more important and less well understood, it's a process problem. The current manufacturing process for patches--from disclosure of a vulnerability to the creation and distribution of the updated code--makes patching untenable. At the same time, the only way to fix insecure post-release software (in other words, all software)is with patches.

This impossible reality has sent patching and the newly minted discipline associated with it--patch management--into the realm of the absurd. More than a necessary evil, it has become a mandatory fool's errand.

Hardly surprising, then, that philosophies on what to do next have bifurcated. Depending on whom you ask, it's either time to patch less--replacing the process with vigorous best practices and a little bit of risk analysis--or it's time to patch more--by automating the process with, yes, more software.

"We're between a rock and a hard place," says Bob Wynn, CISO of the state of Georgia. "No one can manage this effectively. I can't just automatically deploy a patch. And because the time it takes for a virus to spread is so compressed now, I don't have time to test them before I patch either."

Zur Startseite