Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Costs of Patching

Posted by ryuzaki0 on from the we-all-have-t1s-now-anyway-right dept.

prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."

8 of 303 comments (clear)

  1. it make sense they would say this.. by geekoid · · Score: 3, Informative

    ..because one of the many new feature of server 2003 is the ability to update patches auotmatically.
    So they will use this 'cost savings' to push the new product. At the launch event, they bagged on there older products pretty damn hard.

    It's part of there latest slogan
    "do more with less".
    personally, I dln't know who this less guy is, or why I would want to do more with him. Ironically I prefer less to more.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  2. Re:I prefer Linux, but... by BlueTooth · · Score: 5, Informative

    RedHat's up2date works pretty well so long as you stick to their RPM releases of the software you want to keep updated.

    It works well for me, and all I need to stay on top of are things I build be hand (typically Webserver and its ilk plus kernel), but all my libraries stay nice and fresh.

    --
    SPAM
  3. Re:I prefer Linux, but... by Nothinman · · Score: 4, Informative
    Sometimes I wish there was the equivalent of Windows Update for Linux


    apt-get update
    apt-get upgrade


    I don't run Debian's precompiled kernels though so I don't know what the patch/release policy on them is, but for all userland things it's better than WU.

  4. Re:Cost of not patching? by H310iSe · · Score: 4, Informative

    Whenever deploying new patches OR antivirus DAT files (they cause havok as well) we did a full regression test of the standard desktop image.

    Fist a high level person would look at the patch (usually using install shield's application repackager), read the documentation, etc. and look for possible conflicts with the production environment. This took between 2-4 hours per patch x $60/h. The regression test took one lower-level tech about 2 days to do. We'd lump a few patches together so say 1 tech x $40/h (at least, w/ benefits, etc.) x 2 days / 3 patches per test = about $213/patch + eval ($180 per patch) = around $400 per patch to test. Deployment took another hour to write the install script (rarely did we rely on MS's installer alone), 1 hour to document and send to the regional offices and each office probably spent an hour implementing the thing. Total cost around $600 per patch for a 1,000 desktop, 11 office environment.

    Now you know.

    --
    closed minded is as closed minded does
  5. I feel the pain by Remlik · · Score: 3, Informative

    As the only sys admin in a company of 50 desktops and 4 Win2k Servers I can fully support the notion that patching is expensive...but not for the company...for ME!

    Guess who gets to come in the office between 8 and 10pm to apply these patches to live servers...who has to wait if someone decides to work late. Who has to cross his fingers with every patch hoping that nothing else breaks...ME! And the only thing I get out of it is to be able to leave an hour or two early that friday...woot.

    Sure some things I can and do install from remote, but almost every patch requires a reboot and you just never know when a Win2k system isn't going to boot properly and require you to drive in at 1am wearing your bath robe.

    --
    Apple free since 1990!
  6. System Update Server by mr_z_beeblebrox · · Score: 4, Informative

    Microsoft has a free product out called SUS (see subject) the SUS works in conjunction with the BSA (no, Baseline Security Analyzer) to determin patch levels of 2000/XP clients and servers it then downloads all neccessary patches in a SIS (single instance storage) at the server. In this way every patch on your network is downloaded only once. If you only have four PCs this cuts update traffic by 75%. This is nearly as effective as ISA server but it is FREE. It is not as effective as coding it write the first time LOL but it is a start.

    1. Re:System Update Server by Lumpy · · Score: 3, Informative

      I get the same thing for free with linux by simply configuring a SQUID proxy to heavily cache all http traffic from update.microsoft.com. then have all the W2K boxes automatically run their updates 1 day after the master PC does this. Voila... the squid proxy caches all the updates so every other pc in my WAN get's them from the squid server lightning fast. same as the virus scan and all the other "update" sites we seem to use here.

      Works great and my mrtg graphs prove that it works to me :-)

      --
      Do not look at laser with remaining good eye.
  7. Re:Question? by PickaBooga · · Score: 3, Informative


    The basic string copy functions in C and C++ don't keep a value for the maximum length of a string.
    (Actually, they don't even keep a value for the current length of a string, it is calculated by scanning the string and looking for the terminating null.)

    The buffer safe string libraries are not designed to be a drop-in replacement for the basic string library, because they demand more information about maximum lengths from the code using them.