Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Costs of Patching

Posted by ryuzaki0 on from the we-all-have-t1s-now-anyway-right dept.

prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."

25 of 303 comments (clear)

  1. Wow...it took them this long... by Fallen+Kell · · Score: 4, Insightful

    ... to realise that it costs more to do things 2, 3, or 4 times then if they had done it right the first time...

    And that is costs more to have a new programmer look at and try to modify code that wasn't written by himself/herself...

    Amazing reality breakthrough!

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
    1. Re:Wow...it took them this long... by Surak · · Score: 4, Insightful

      The real cost, aside from downtime, is in the integration testing of those patches. If you don't do the integration testing, the cost is potentially even HIGHER because you don't know what those patches could break. Unfortunately, doing proper integration testing means you end up way behind the curve in terms of the patch cycle, which ultimately means an even greater risk of attack.

      So you're damned if you do and you're damned if you don't.

      Hey, I know, maybe Microsoft could do this new thing called PROPER BETA TESTING, and then maybe the could get it right THE FIRST TIME!

      Nah, that'd be too easy. ;)

      --
      My journal has hot /. gossip.
  2. Also known as... by Evil+Adrian · · Score: 3, Insightful

    This statement is also known as "an ounce of prevention is worth a pound of cure."

    --
    evil adrian
  3. Cost of not patching? by rhfrommn · · Score: 5, Insightful

    The difficult question is whether the costs of patching outweigh the costs of NOT patching. There's a lot to be said for "if it ain't broke, don't fix it" sometimes.

    However, with security patches usually you have no choice. The only decision for some security patches is how long do you wait before deploying it. Don't wanna be the first ones to put a bad patch on now, do we?

    --
    My motto is: Never give up - unless it's harder than you want it to be.
    1. Re:Cost of not patching? by rhfrommn · · Score: 2, Insightful

      I don't buy that argument (although you may just be joking).

      I'm a Solaris admin and have no love for Microsoft. But even I have to admit that all operating systems need patches. Solaris does, Microsoft does, every version of Linux does. Just changing to another OS won't solve all your patching problems. I'll grant you that Microsoft seems to be worse than average in terms of number of patches needed and the hassle involved so changing may definately be a good idea. It just isn't a complete fix.

      --
      My motto is: Never give up - unless it's harder than you want it to be.
    2. Re:Cost of not patching? by pmz · · Score: 3, Insightful

      Then you'll get to have fun updating libraries whenever you want to install something, as well as patching BIND, sendmail, the kernel, etc.

      It doesn't have to be all that bad. Packages are relocatable, so unusually sensitive applications can be put into their own root directory hierarchy. Using NFS wisely can allow for one set of applications on a network (patching once and only once is quite nice). Only one or two servers on the whole network should be running Sendmail and BIND in a vulnerable mode. UNIX is also easier to pare down, so there are much fewer things that need to be patched. With a good network design, patches can be rolled out automatically over SCP, and UNIX machines tend to reboot pretty reliably, unless a patch screws up an init script.

      It is just a simple fact that UNIX is less complex than Windows. It has fewer lines of source code, more transparent modularization, strict separation between the GUI and the kernel, widely available and thorough documentation, three decades of experience behind it, almost complete scriptability, among other things. Windows, on the other hand, is as opaque as mud--there could be a golden city under there or just more mud, but we'll never know.

      --
      Healthcare article at Kuro5hin
    3. Re:Cost of not patching? by _Sprocket_ · · Score: 2, Insightful


      Microsoft's R&D department is laughing at you.

      It's probably more of a nervous chuckle than a laugh. After all, Win2003 developers are paying attention. To the point:

      Why is there no command line only version?
      We're looking longer term to see what can be done, looking at the layers and what's available at each layer and how do we make it much closer to the thing the Linux guys have -- having only the pieces you want running. That's something Linux has that's ahead of us, but we're looking at it. We will have a command line-only version, but whether it'll have all the features in is another matter. A lot of the tools depend on having the graphical interface. Printing, for example, requires all the graphics subsystems because we have the "what you see is what you get" model. You need to have the whole of the display stuff to render it. It's a very tangled subsystem.

      Maybe there's something to that whole simplicity idea.
  4. NEW MATH by stratjakt · · Score: 5, Insightful

    responsible for 45% of traffic

    But spam is responsible for, what was it Taco, 60% of traffic on networks?

    I'm at 105% utilization already!

    BTW, it's just as costly, if not more, to have to rebuild your linux kernel, SSL, apache webserver, or samba installation when a bug is found there.

    Quit pretending that MS has some sort of monopoly on software bugs. "Bad code" is a patentless technique used ubiquitously.

    --
    I don't need no instructions to know how to rock!!!!
    1. Re:NEW MATH by aridhol · · Score: 5, Insightful
      Don't forget the 70% that is porn.

      Let's face it. There's no real way to know for sure what is on those wires unless you monitor them. And I don't think anybody here wants to open that can of worms.

      --
      I can't say that I don't give a fuck. I've just run out of fuck to give.
    2. Re:NEW MATH by Pyrosz · · Score: 4, Insightful

      If your going to bash someone, make sure you are correct first. Taco did not write that comment and you didn't even read the entire comment correctly as it states "...possibly responsible for 45% of traffic on some networks." If Taco had written the comment it would not have been in Italics.

      --

      An optimist believes we live in the best world possible; a pessimist fears this is true.
  5. Nothing new there by Timesprout · · Score: 5, Insightful

    The software industry has known for years that the later you find a bug the more expensive and messy it is to resolve

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  6. Want security? don't install the kitchen sink! by MrBoombasticfantasti · · Score: 2, Insightful

    If you want security on your boxen it is prevalent to install just the components you need and no more than that. For example, it is safer to have a dedicated firewall/router and a seperate desktop machine for accessing the Internet than to just connect with a 'one-size-fits-all' installation. This goes for Windows as well as for GNU/Linux and/or *BSD. Myself, I have an OpenBSD box connected to my DSL-line and patching is seldom needed (at least compared to other OS'es). This way I can fool around on my (seperate) desktop machine till my hair falls out but it won't get h4x()r3d...

    --
    !ERR: Signature not found.
  7. Not suprising by Neophytus · · Score: 5, Insightful

    People who say 'they should have patched' do not understand the stress that installing a patch however critical on a few hundred servers, then in many cases rebooting them, can put in a commercial environment.

  8. Patches by zzxc · · Score: 3, Insightful

    If MS wouldn't include so much "junk data" to keep their proprietary data secret in patches, they wouldn't be so large. And, if there was a way to do a patch "rollback", then faulty patches wouldn't bring down a system until a new fix-patch was released. (One of the recent MS patches was found to cause some machines to stop booting)

    -----------
    From Ape to Man: Evolution

  9. MS patches are creepy... by allanj · · Score: 5, Insightful

    I've applied my fair share of patches from MS, but lately I've become really nervous about doing so. I'm always thinking "what kind of DRM will they include in this one?". It's gotten to the point where I will NOT apply patches for anything but server products, and only reluctantly so. Call me paranoid if you wish, but I can't really shake that feeling. Hey MS, great way to promote security - making users reluctant to apply patches...

    --
    Black holes are where God divided by zero
  10. Re:I prefer Linux, but... by stratjakt · · Score: 1, Insightful

    You still have to take the machine offline for all practical purposes. You cant upgrade samba or apache in place, without interrupting service.

    So who cares if the downtime is for a reboot or a recompile? From the users point of view the machine is inaccessable.

    --
    I don't need no instructions to know how to rock!!!!
  11. Re:Downtime? by Henry+V+.009 · · Score: 2, Insightful

    Wasn't Microsoft supposed to have a system that would patch without rebooting by now? I thought Windows 2000 was supposed to do it. But here we are on XP, and you still have to reboot for nearly all of the critical patches.

  12. Patching vs UnPatching by gosand · · Score: 2, Insightful
    BTW, it's just as costly, if not more, to have to rebuild your linux kernel, SSL, apache webserver, or samba installation when a bug is found there.

    Actually, just the act of patching may roughly equal. But UN-patching a system can be done very easily on a *nix based system. How do you UN-patch a Windows based system?

    Also, when I rebuild apache, I know what I am affecting. When I install a Windows patch, I cross my fingers.

    --

    My beliefs do not require that you agree with them.

  13. Re:Downtime? by robbo · · Score: 4, Insightful

    I dont think a apt-get update && apt-get upgrade in cron is that hard work.

    Yikes. I don't think 'apt-get update && apt-get upgrade' in your crontab is very smart. The probability of breaking something is too high. In fact, that's the message I'm reading between the lines: virus upgrades won't break anything, so they're no problem to automate, but OS/IIS/IE patches pose a much higher probability of risking extended downtime. I don't think the situation is all that different with the Red Hat Network-- look before you leap.

    --
    So long, and thanks for all the Phish
  14. Re:I don't understand... by Zirnike · · Score: 3, Insightful
    Business application math:

    (Some patches break some applications) + (Applications being down means lost productivity, sales, possibly data, depending on the app) + (MS apps won't let you roll back the patch, so you can't recover) = Many companies feel the need to test the patches first.

    My computer at work doesn't get patched all that often (luckally it's behind multiple firewalls), because Unigraphics is very touchy (according to our support people).

    --
    I'm not shy, I'm stalking my prey
  15. Hmmm... by istartedi · · Score: 3, Insightful

    Well... before the knee-jerk MS-bashing starts, let's think about it.

    If you patch, you have to recompile the component, and possibly re-boot the machine or re-start the application. This is true for Linux too (unless there's a way to fast-swap kernels that I haven't heard about).

    If you update, you don't need to re-start anything.

    If you patch, you could have to patch just about anything on the system.

    If you update, you are working through one application.

    Of course, there's nothing to stop an OSS developer from writing something that just sniffs incoming data for known exploits, like a virus scanner does.

    Ahhh... but that would slow the system down.

    So I think you have to add "better performance" to the pro-patch argument.

    But then, there is probably less effort to updating, especially if it's automated. Is there any OSS system with automated patching that people are willing to trust?

    Either way, I think it's an interesting discussion. In practice, I patch.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  16. Distinctions by Heinr!ch · · Score: 2, Insightful

    I think there's a big difference between AV definitions and OS patches. AV definitions can be loaded and unloaded dynamically and have minimal effect on uptime. OS patches (in Windows) tend to be all over the place. MS' System Update Server is a good idea for now - in reducing traffic due to patches. However, in most of my environments, the only things we patch regularly are IE and IIS. We typically only patch the OS pre-SP1, but after that we only apply service packs. In addition, we have IP filtering active on every Win2k server (managed via GPO Registry Settings) so we can granularly control port access. As a result, our Win2k servers have uptimes comparable to our Linux servers, with the exception of reboots related to service packs and major software installations.

  17. Re:I prefer Linux, but... by RollingThunder · · Score: 2, Insightful

    Sometimes I wish there was the equivalent of Windows Update for Linux.

    In essence, there is. Just requires (as always) a little manual setup on your own.

    I have one central update box. It runs fmirror every three hours, pulling down the latest Mandrake patches (8.2, 9.0, 9.1) and emails me if there has been a change.

    That box has NFS exports (you could use ftp, if you wish, to avoid the NFS problems) to all the other servers.

    The other servers have the update box defined as an "update" source in urpmi.

    I can then just log on and run:
    urpmi.update -a (updates the list of available RPM's on the local server's cache)
    urpmi --update --auto-select (installs any updated versions of RPMS, autoselecting any dependencies)

    Dead simple. I don't auto-patch for various paranoid reasons, but there's no reason I can't put in the list update automatically too.

    Is this as dead simple as using Windows Update? No.

    It is, however, simpler than MAKING windows update was for Microsoft, and that's largely the work I've replicated.

  18. Re:I prefer Linux, but... by argel · · Score: 3, Insightful
    You still have to take the machine offline for all practical purposes. You cant upgrade samba or apache in place, without interrupting service. So who cares if the downtime is for a reboot or a recompile? From the users point of view the machine is inaccessable
    You've never had to reboot a system with several SCSI drives in it, have you? The difference between cycling a daemon and cycling the box can be considerable.
    --

    -- Argel
  19. To be fair... by dorfsmay · · Score: 2, Insightful

    I am no Microsoft fan, but even when if you were to write the software "right", you have to remember that,to quote Pressman, software deteriorate. Therefore even a perfect piece of software will need to be patched at some point in the future because the environment around the software will change (new OS, new hardware, unforeseen complication (can you say Y2K ;-)). Can anybody quote one OS that never needs patching ?

    Once you have accepted that you will have to patch, then you do it on a regular basis, on your test box first, then you move the "patch bundle" to the prod boxes. The only problem with this method that has come up recently is the time-sensitivity of security patches, if you want to stay safe you can't really afford the slow cycle of waiting for the patch bundle to come out, let it mature, apply in dev, apply in prod. I have no answer to this one, I'd love to hear other's opinion on it.

    There are strategies to reduce patches, like the one that is rarelly mentioned and that I like a lot is de Raadt's idea of code audit , once you found a bug, you know that you have made the same error somewhere else and should go through your code to find it and fix it.