Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Costs of Patching

Posted by ryuzaki0 on from the we-all-have-t1s-now-anyway-right dept.

prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."

16 of 303 comments (clear)

  1. Wow...it took them this long... by Fallen+Kell · · Score: 4, Insightful

    ... to realise that it costs more to do things 2, 3, or 4 times then if they had done it right the first time...

    And that is costs more to have a new programmer look at and try to modify code that wasn't written by himself/herself...

    Amazing reality breakthrough!

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
    1. Re:Wow...it took them this long... by Surak · · Score: 4, Insightful

      The real cost, aside from downtime, is in the integration testing of those patches. If you don't do the integration testing, the cost is potentially even HIGHER because you don't know what those patches could break. Unfortunately, doing proper integration testing means you end up way behind the curve in terms of the patch cycle, which ultimately means an even greater risk of attack.

      So you're damned if you do and you're damned if you don't.

      Hey, I know, maybe Microsoft could do this new thing called PROPER BETA TESTING, and then maybe the could get it right THE FIRST TIME!

      Nah, that'd be too easy. ;)

      --
      My journal has hot /. gossip.
  2. Also known as... by Evil+Adrian · · Score: 3, Insightful

    This statement is also known as "an ounce of prevention is worth a pound of cure."

    --
    evil adrian
  3. Cost of not patching? by rhfrommn · · Score: 5, Insightful

    The difficult question is whether the costs of patching outweigh the costs of NOT patching. There's a lot to be said for "if it ain't broke, don't fix it" sometimes.

    However, with security patches usually you have no choice. The only decision for some security patches is how long do you wait before deploying it. Don't wanna be the first ones to put a bad patch on now, do we?

    --
    My motto is: Never give up - unless it's harder than you want it to be.
    1. Re:Cost of not patching? by pmz · · Score: 3, Insightful

      Then you'll get to have fun updating libraries whenever you want to install something, as well as patching BIND, sendmail, the kernel, etc.

      It doesn't have to be all that bad. Packages are relocatable, so unusually sensitive applications can be put into their own root directory hierarchy. Using NFS wisely can allow for one set of applications on a network (patching once and only once is quite nice). Only one or two servers on the whole network should be running Sendmail and BIND in a vulnerable mode. UNIX is also easier to pare down, so there are much fewer things that need to be patched. With a good network design, patches can be rolled out automatically over SCP, and UNIX machines tend to reboot pretty reliably, unless a patch screws up an init script.

      It is just a simple fact that UNIX is less complex than Windows. It has fewer lines of source code, more transparent modularization, strict separation between the GUI and the kernel, widely available and thorough documentation, three decades of experience behind it, almost complete scriptability, among other things. Windows, on the other hand, is as opaque as mud--there could be a golden city under there or just more mud, but we'll never know.

      --
      Healthcare article at Kuro5hin
  4. NEW MATH by stratjakt · · Score: 5, Insightful

    responsible for 45% of traffic

    But spam is responsible for, what was it Taco, 60% of traffic on networks?

    I'm at 105% utilization already!

    BTW, it's just as costly, if not more, to have to rebuild your linux kernel, SSL, apache webserver, or samba installation when a bug is found there.

    Quit pretending that MS has some sort of monopoly on software bugs. "Bad code" is a patentless technique used ubiquitously.

    --
    I don't need no instructions to know how to rock!!!!
    1. Re:NEW MATH by aridhol · · Score: 5, Insightful
      Don't forget the 70% that is porn.

      Let's face it. There's no real way to know for sure what is on those wires unless you monitor them. And I don't think anybody here wants to open that can of worms.

      --
      I can't say that I don't give a fuck. I've just run out of fuck to give.
    2. Re:NEW MATH by Pyrosz · · Score: 4, Insightful

      If your going to bash someone, make sure you are correct first. Taco did not write that comment and you didn't even read the entire comment correctly as it states "...possibly responsible for 45% of traffic on some networks." If Taco had written the comment it would not have been in Italics.

      --

      An optimist believes we live in the best world possible; a pessimist fears this is true.
  5. Nothing new there by Timesprout · · Score: 5, Insightful

    The software industry has known for years that the later you find a bug the more expensive and messy it is to resolve

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  6. Not suprising by Neophytus · · Score: 5, Insightful

    People who say 'they should have patched' do not understand the stress that installing a patch however critical on a few hundred servers, then in many cases rebooting them, can put in a commercial environment.

  7. Patches by zzxc · · Score: 3, Insightful

    If MS wouldn't include so much "junk data" to keep their proprietary data secret in patches, they wouldn't be so large. And, if there was a way to do a patch "rollback", then faulty patches wouldn't bring down a system until a new fix-patch was released. (One of the recent MS patches was found to cause some machines to stop booting)

    -----------
    From Ape to Man: Evolution

  8. MS patches are creepy... by allanj · · Score: 5, Insightful

    I've applied my fair share of patches from MS, but lately I've become really nervous about doing so. I'm always thinking "what kind of DRM will they include in this one?". It's gotten to the point where I will NOT apply patches for anything but server products, and only reluctantly so. Call me paranoid if you wish, but I can't really shake that feeling. Hey MS, great way to promote security - making users reluctant to apply patches...

    --
    Black holes are where God divided by zero
  9. Re:Downtime? by robbo · · Score: 4, Insightful

    I dont think a apt-get update && apt-get upgrade in cron is that hard work.

    Yikes. I don't think 'apt-get update && apt-get upgrade' in your crontab is very smart. The probability of breaking something is too high. In fact, that's the message I'm reading between the lines: virus upgrades won't break anything, so they're no problem to automate, but OS/IIS/IE patches pose a much higher probability of risking extended downtime. I don't think the situation is all that different with the Red Hat Network-- look before you leap.

    --
    So long, and thanks for all the Phish
  10. Re:I don't understand... by Zirnike · · Score: 3, Insightful
    Business application math:

    (Some patches break some applications) + (Applications being down means lost productivity, sales, possibly data, depending on the app) + (MS apps won't let you roll back the patch, so you can't recover) = Many companies feel the need to test the patches first.

    My computer at work doesn't get patched all that often (luckally it's behind multiple firewalls), because Unigraphics is very touchy (according to our support people).

    --
    I'm not shy, I'm stalking my prey
  11. Hmmm... by istartedi · · Score: 3, Insightful

    Well... before the knee-jerk MS-bashing starts, let's think about it.

    If you patch, you have to recompile the component, and possibly re-boot the machine or re-start the application. This is true for Linux too (unless there's a way to fast-swap kernels that I haven't heard about).

    If you update, you don't need to re-start anything.

    If you patch, you could have to patch just about anything on the system.

    If you update, you are working through one application.

    Of course, there's nothing to stop an OSS developer from writing something that just sniffs incoming data for known exploits, like a virus scanner does.

    Ahhh... but that would slow the system down.

    So I think you have to add "better performance" to the pro-patch argument.

    But then, there is probably less effort to updating, especially if it's automated. Is there any OSS system with automated patching that people are willing to trust?

    Either way, I think it's an interesting discussion. In practice, I patch.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  12. Re:I prefer Linux, but... by argel · · Score: 3, Insightful
    You still have to take the machine offline for all practical purposes. You cant upgrade samba or apache in place, without interrupting service. So who cares if the downtime is for a reboot or a recompile? From the users point of view the machine is inaccessable
    You've never had to reboot a system with several SCSI drives in it, have you? The difference between cycling a daemon and cycling the box can be considerable.
    --

    -- Argel