Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Costs of Patching

Posted by ryuzaki0 on from the we-all-have-t1s-now-anyway-right dept.

prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."

23 of 303 comments (clear)

  1. Wow...it took them this long... by Fallen+Kell · · Score: 4, Insightful

    ... to realise that it costs more to do things 2, 3, or 4 times then if they had done it right the first time...

    And that is costs more to have a new programmer look at and try to modify code that wasn't written by himself/herself...

    Amazing reality breakthrough!

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
    1. Re:Wow...it took them this long... by Surak · · Score: 4, Insightful

      The real cost, aside from downtime, is in the integration testing of those patches. If you don't do the integration testing, the cost is potentially even HIGHER because you don't know what those patches could break. Unfortunately, doing proper integration testing means you end up way behind the curve in terms of the patch cycle, which ultimately means an even greater risk of attack.

      So you're damned if you do and you're damned if you don't.

      Hey, I know, maybe Microsoft could do this new thing called PROPER BETA TESTING, and then maybe the could get it right THE FIRST TIME!

      Nah, that'd be too easy. ;)

      --
      My journal has hot /. gossip.
  2. Patching has saved my hundreds of dollars by Anonymous Coward · · Score: 5, Funny

    Rather than throwing away an otherwise perfectly good pair of pants, patches have allowed me to fix them and extend their life. In some cases, patches can even be fashionable. Sewing is a great skill that all geeks should learn.

  3. Cost of not patching? by rhfrommn · · Score: 5, Insightful

    The difficult question is whether the costs of patching outweigh the costs of NOT patching. There's a lot to be said for "if it ain't broke, don't fix it" sometimes.

    However, with security patches usually you have no choice. The only decision for some security patches is how long do you wait before deploying it. Don't wanna be the first ones to put a bad patch on now, do we?

    --
    My motto is: Never give up - unless it's harder than you want it to be.
    1. Re:Cost of not patching? by H310iSe · · Score: 4, Informative

      Whenever deploying new patches OR antivirus DAT files (they cause havok as well) we did a full regression test of the standard desktop image.

      Fist a high level person would look at the patch (usually using install shield's application repackager), read the documentation, etc. and look for possible conflicts with the production environment. This took between 2-4 hours per patch x $60/h. The regression test took one lower-level tech about 2 days to do. We'd lump a few patches together so say 1 tech x $40/h (at least, w/ benefits, etc.) x 2 days / 3 patches per test = about $213/patch + eval ($180 per patch) = around $400 per patch to test. Deployment took another hour to write the install script (rarely did we rely on MS's installer alone), 1 hour to document and send to the regional offices and each office probably spent an hour implementing the thing. Total cost around $600 per patch for a 1,000 desktop, 11 office environment.

      Now you know.

      --
      closed minded is as closed minded does
    2. Re:Cost of not patching? by B3ryllium · · Score: 4, Funny
      Fist a high level person
      Yeah! That's right! Fight the power!
  4. interesting debate by ih8apple · · Score: 4, Funny

    This document was part of an interesting debate over the last year and a half between MS and Novell over whose product was more buggy (measured in terms of number of patches.)

    (Google cache version in html.)

    --


    Why do I h8 apple?
    1. Re:interesting debate by zero-one · · Score: 4, Funny

      Yup, that document was funny. I liked this bit: "Additionally, Novell has neglected to be clear about the fact that GroupWise runs on Windows NT and Windows 2000, so patches that apply to Exchange customers also apply to GroupWise customer running a GroupWise system on Windows systems". So Microsoft are arguing that Novel haven't taken full account of the security issues due to Microsoft in a report bashing Microsoft. I am not sure that is an argument that Microsoft should be shouting about!

  5. NEW MATH by stratjakt · · Score: 5, Insightful

    responsible for 45% of traffic

    But spam is responsible for, what was it Taco, 60% of traffic on networks?

    I'm at 105% utilization already!

    BTW, it's just as costly, if not more, to have to rebuild your linux kernel, SSL, apache webserver, or samba installation when a bug is found there.

    Quit pretending that MS has some sort of monopoly on software bugs. "Bad code" is a patentless technique used ubiquitously.

    --
    I don't need no instructions to know how to rock!!!!
    1. Re:NEW MATH by aridhol · · Score: 5, Insightful
      Don't forget the 70% that is porn.

      Let's face it. There's no real way to know for sure what is on those wires unless you monitor them. And I don't think anybody here wants to open that can of worms.

      --
      I can't say that I don't give a fuck. I've just run out of fuck to give.
    2. Re:NEW MATH by clambake · · Score: 4, Funny

      responsible for 45% of traffic

      But spam is responsible for, what was it Taco, 60% of traffic on networks?

      I'm at 105% utilization already!

      Didn't you see that the article was about Microsoft? I'm sure there is at least SOME overlap in the spam/patch metrics.

    3. Re:NEW MATH by Pyrosz · · Score: 4, Insightful

      If your going to bash someone, make sure you are correct first. Taco did not write that comment and you didn't even read the entire comment correctly as it states "...possibly responsible for 45% of traffic on some networks." If Taco had written the comment it would not have been in Italics.

      --

      An optimist believes we live in the best world possible; a pessimist fears this is true.
  6. Nothing new there by Timesprout · · Score: 5, Insightful

    The software industry has known for years that the later you find a bug the more expensive and messy it is to resolve

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  7. Not suprising by Neophytus · · Score: 5, Insightful

    People who say 'they should have patched' do not understand the stress that installing a patch however critical on a few hundred servers, then in many cases rebooting them, can put in a commercial environment.

  8. Lamers by grub · · Score: 4, Funny


    Pff.. you lamers with your fancy-pants Windows or your free Linux or *BSDs are all clueless. I haven't patched my Apple ][+'s DOS3.3 for 20 years and it still has yet to be 0wned.

    --
    Trolling is a art,
  9. MS patches are creepy... by allanj · · Score: 5, Insightful

    I've applied my fair share of patches from MS, but lately I've become really nervous about doing so. I'm always thinking "what kind of DRM will they include in this one?". It's gotten to the point where I will NOT apply patches for anything but server products, and only reluctantly so. Call me paranoid if you wish, but I can't really shake that feeling. Hey MS, great way to promote security - making users reluctant to apply patches...

    --
    Black holes are where God divided by zero
  10. Re:I prefer Linux, but... by BlueTooth · · Score: 5, Informative

    RedHat's up2date works pretty well so long as you stick to their RPM releases of the software you want to keep updated.

    It works well for me, and all I need to stay on top of are things I build be hand (typically Webserver and its ilk plus kernel), but all my libraries stay nice and fresh.

    --
    SPAM
  11. Re:I prefer Linux, but... by Nothinman · · Score: 4, Informative
    Sometimes I wish there was the equivalent of Windows Update for Linux


    apt-get update
    apt-get upgrade


    I don't run Debian's precompiled kernels though so I don't know what the patch/release policy on them is, but for all userland things it's better than WU.

  12. Re:Lamers - Oh Yeah? by grub · · Score: 5, Funny


    Yeah and? Today is Thursday, May 1 10003.

    --
    Trolling is a art,
  13. System Update Server by mr_z_beeblebrox · · Score: 4, Informative

    Microsoft has a free product out called SUS (see subject) the SUS works in conjunction with the BSA (no, Baseline Security Analyzer) to determin patch levels of 2000/XP clients and servers it then downloads all neccessary patches in a SIS (single instance storage) at the server. In this way every patch on your network is downloaded only once. If you only have four PCs this cuts update traffic by 75%. This is nearly as effective as ISA server but it is FREE. It is not as effective as coding it write the first time LOL but it is a start.

  14. Say it ain't so! by RealAlaskan · · Score: 5, Interesting
    apt-get update
    apt-get upgrade

    That's what I do, and I'm not sure what all the fuss is about. Things get fixed, usually before I ever knew they were broken, deamons get restarted, nothing gets interrupted, life goes on ... If I took the trouble to make it a cron job, I'd never even know.

    ... Craig Fiebig, ... is quoted as saying "In dollar terms, patching is the most expensive security measures ...

    Is Mr Fiebig telling us that things don't go so smoothly if you use MS products? Or that MS can't keep up with a bunch of amatures? Do MS patches break non-MS apps? Could all this be why so many worms and viruses manage to spread across unpatched MS products? Could it be that MS patches are as bad as the bugs they fix? SAY IT AIN'T SO, CRAIG!

    --
    See what I've been reading.
  15. Re:Downtime? by robbo · · Score: 4, Insightful

    I dont think a apt-get update && apt-get upgrade in cron is that hard work.

    Yikes. I don't think 'apt-get update && apt-get upgrade' in your crontab is very smart. The probability of breaking something is too high. In fact, that's the message I'm reading between the lines: virus upgrades won't break anything, so they're no problem to automate, but OS/IIS/IE patches pose a much higher probability of risking extended downtime. I don't think the situation is all that different with the Red Hat Network-- look before you leap.

    --
    So long, and thanks for all the Phish
  16. Question? by Billly+Gates · · Score: 4, Interesting
    C/C++ functions like strngcopy have been known to be a cause of overflows for decades.

    Bell labs(now lucent) and various hackers have made string functions that do the same thing but are buffer safe. They are made to create more secure apps.

    My question is if gcc or visualc for that matter switched to more buffer safe libraries would it make a difference? Trusted Debian is compiled with buffer safe string functions.

    It may be time gnuc did this by default assuming all the apps could be recompiled without a problem.

    This would seem to get rid of %90 of holes in user as well as kernel space.

    --
    http://saveie6.com/