The Costs of Patching

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Thursday May 1, 2003 @07:21AM from the we-all-have-t1s-now-anyway-right dept.

prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."

10 of 303 comments (clear)

Min score:

Reason:

Sort:

Wow...it took them this long... by Fallen+Kell · 2003-05-01 07:24 · Score: 4, Insightful

... to realise that it costs more to do things 2, 3, or 4 times then if they had done it right the first time...

And that is costs more to have a new programmer look at and try to modify code that wasn't written by himself/herself...

Amazing reality breakthrough!

--
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
1. Re:Wow...it took them this long... by Surak · 2003-05-01 07:46 · Score: 4, Insightful
  
  The real cost, aside from downtime, is in the integration testing of those patches. If you don't do the integration testing, the cost is potentially even HIGHER because you don't know what those patches could break. Unfortunately, doing proper integration testing means you end up way behind the curve in terms of the patch cycle, which ultimately means an even greater risk of attack.
  
  So you're damned if you do and you're damned if you don't.
  
  Hey, I know, maybe Microsoft could do this new thing called PROPER BETA TESTING, and then maybe the could get it right THE FIRST TIME!
  
  Nah, that'd be too easy. ;)
  
  --
  My journal has hot /. gossip.
Cost of not patching? by rhfrommn · 2003-05-01 07:26 · Score: 5, Insightful

The difficult question is whether the costs of patching outweigh the costs of NOT patching. There's a lot to be said for "if it ain't broke, don't fix it" sometimes.

However, with security patches usually you have no choice. The only decision for some security patches is how long do you wait before deploying it. Don't wanna be the first ones to put a bad patch on now, do we?

--
My motto is: Never give up - unless it's harder than you want it to be.
NEW MATH by stratjakt · 2003-05-01 07:28 · Score: 5, Insightful

responsible for 45% of traffic

But spam is responsible for, what was it Taco, 60% of traffic on networks?

I'm at 105% utilization already!

BTW, it's just as costly, if not more, to have to rebuild your linux kernel, SSL, apache webserver, or samba installation when a bug is found there.

Quit pretending that MS has some sort of monopoly on software bugs. "Bad code" is a patentless technique used ubiquitously.

--
I don't need no instructions to know how to rock!!!!
1. Re:NEW MATH by aridhol · 2003-05-01 07:36 · Score: 5, Insightful
  
  Don't forget the 70% that is porn.
  Let's face it. There's no real way to know for sure what is on those wires unless you monitor them. And I don't think anybody here wants to open that can of worms.
  
  --
  I can't say that I don't give a fuck. I've just run out of fuck to give.
2. Re:NEW MATH by Pyrosz · 2003-05-01 07:58 · Score: 4, Insightful
  
  If your going to bash someone, make sure you are correct first. Taco did not write that comment and you didn't even read the entire comment correctly as it states "...possibly responsible for 45% of traffic on some networks." If Taco had written the comment it would not have been in Italics.
  
  --
  
  An optimist believes we live in the best world possible; a pessimist fears this is true.
Nothing new there by Timesprout · 2003-05-01 07:28 · Score: 5, Insightful

The software industry has known for years that the later you find a bug the more expensive and messy it is to resolve

--
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Not suprising by Neophytus · 2003-05-01 07:28 · Score: 5, Insightful

People who say 'they should have patched' do not understand the stress that installing a patch however critical on a few hundred servers, then in many cases rebooting them, can put in a commercial environment.
MS patches are creepy... by allanj · 2003-05-01 07:33 · Score: 5, Insightful

I've applied my fair share of patches from MS, but lately I've become really nervous about doing so. I'm always thinking "what kind of DRM will they include in this one?". It's gotten to the point where I will NOT apply patches for anything but server products, and only reluctantly so. Call me paranoid if you wish, but I can't really shake that feeling. Hey MS, great way to promote security - making users reluctant to apply patches...

--
Black holes are where God divided by zero
Re:Downtime? by robbo · 2003-05-01 07:55 · Score: 4, Insightful

I dont think a apt-get update && apt-get upgrade in cron is that hard work.

Yikes. I don't think 'apt-get update && apt-get upgrade' in your crontab is very smart. The probability of breaking something is too high. In fact, that's the message I'm reading between the lines: virus upgrades won't break anything, so they're no problem to automate, but OS/IIS/IE patches pose a much higher probability of risking extended downtime. I don't think the situation is all that different with the Red Hat Network-- look before you leap.

--
So long, and thanks for all the Phish