Software Patching: Patch and Pray

Patching-the only way to prevent poorly designed software from breaking everything-no longer works. And there's nothing you can do about it. Except maybe patch less. Or possibly patch more.

"I'd like to think there's a way to improve the process here," says Mykolas Rambus, CIO of financial services company WP Carey. "It would take an industry bodya nonprofit consortium-type setupto create standard naming conventions, to production test an insane number of these things, and to keep a database of knowledge on the patches so I could look up what other companies like mine did with their patching and what happened."

Rambus doesn't sound hopeful.

There won't be a formal announcement of the fact, and no one really planned it this way, but Slammer has become something of a turning point. The fury of its 10-minute conflagration and the ensuing comedy of a gaggle of firefighters untangling their hoses, rushing to the scene and finding that the building burnt down left enough of an impression to convince many that patching, as currently practiced, really doesn't work.

"Something has to happen," says Rambus. "There's going to be a backlash if it doesn't improve. I'd suggest that this patching problem is the responsibility of the vendors, and the costs are being taken on by the customers."

There's good news and bad news for Rambus. The good news is that vendors are motivated to try and fix the patch process. And they're earnestone might say even religiousabout their competing approaches. And the fervent search for a cure has intensified markedly since Slammer.

The bad news is that it's not clear either approach will work. And even if one does, none of what's happening changes the economics of patching. Customers still pay.More or LessThere are two emerging and opposite patch philosophies: Either patch more, or patch less.

Vendors in the Patch More school have, almost overnight, created an entirely new class of software called patch management software. The term means different things to different people (already one vendor has concocted a spinoff, "virtual patch management"), but in general, PM automates the process of finding, downloading and applying patches. Patch More adherents believe patching isn't the problem, but that manual patching is. Perfunctory checks for updates and automated deployment, checks for conflicts, roll back capabilities (in case there is a conflict) will, under the Patch More school of thought, fix patching. PM software can keep machines as up-to-date as possible without the possibility of human error.

The CISO at a major convenience store retail chain says it's already working. "Patching was spiralling out of control until recently," he says. "Before, we knew we had a problem because of the sheer volume of patches. We knew we were exposed in a handful of places. The update services coming now from Microsoft, though, have made the situation an order of magnitude better."