The Costs of Patching

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Thursday May 1, 2003 @07:21AM from the we-all-have-t1s-now-anyway-right dept.

prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."

4 of 303 comments (clear)

Min score:

Reason:

Sort:

Re:I prefer Linux, but... by BlueTooth · 2003-05-01 07:34 · Score: 5, Informative

RedHat's up2date works pretty well so long as you stick to their RPM releases of the software you want to keep updated.

It works well for me, and all I need to stay on top of are things I build be hand (typically Webserver and its ilk plus kernel), but all my libraries stay nice and fresh.

--
SPAM
Re:I prefer Linux, but... by Nothinman · 2003-05-01 07:35 · Score: 4, Informative

Sometimes I wish there was the equivalent of Windows Update for Linux

apt-get update
apt-get upgrade

I don't run Debian's precompiled kernels though so I don't know what the patch/release policy on them is, but for all userland things it's better than WU.
Re:Cost of not patching? by H310iSe · 2003-05-01 07:39 · Score: 4, Informative

Whenever deploying new patches OR antivirus DAT files (they cause havok as well) we did a full regression test of the standard desktop image.

Fist a high level person would look at the patch (usually using install shield's application repackager), read the documentation, etc. and look for possible conflicts with the production environment. This took between 2-4 hours per patch x $60/h. The regression test took one lower-level tech about 2 days to do. We'd lump a few patches together so say 1 tech x $40/h (at least, w/ benefits, etc.) x 2 days / 3 patches per test = about $213/patch + eval ($180 per patch) = around $400 per patch to test. Deployment took another hour to write the install script (rarely did we rely on MS's installer alone), 1 hour to document and send to the regional offices and each office probably spent an hour implementing the thing. Total cost around $600 per patch for a 1,000 desktop, 11 office environment.

Now you know.

--
closed minded is as closed minded does
System Update Server by mr_z_beeblebrox · 2003-05-01 07:51 · Score: 4, Informative

Microsoft has a free product out called SUS (see subject) the SUS works in conjunction with the BSA (no, Baseline Security Analyzer) to determin patch levels of 2000/XP clients and servers it then downloads all neccessary patches in a SIS (single instance storage) at the server. In this way every patch on your network is downloaded only once. If you only have four PCs this cuts update traffic by 75%. This is nearly as effective as ISA server but it is FREE. It is not as effective as coding it write the first time LOL but it is a start.