Software Patching: Patch and Pray

Patching-the only way to prevent poorly designed software from breaking everything-no longer works. And there's nothing you can do about it. Except maybe patch less. Or possibly patch more.

Duke University's Rice tested patch management software on 550 machines. When the application told him he needed 10,000 patches, he wasn't sure if that was a good thing. "Obviously, it's powerful, but automation leaves you open to automatically putting in buggy patches." Rice might be thinking of the patch that crashed his storage array on a Compaq server. "I need automation to deploy patches," he says. "I do not want automated patch management."

The Patch Less constituency is best represented by Peter Tippett, vice chairman and CTO of TruSecure. Tippett is fanatical about patching's failure. Based on 12 years of actuarial data, he says that only about 2 percent of vulnerabilities result in attacks. Therefore, most patches aren't worth applying. In risk management terms, they're at best superfluous and, at worst, a significant additional risk.

Instead, Tippett says, improve your security policylock down ports such as 1434 that really had no reason to be openand pay third parties to figure out which patches are necessary and which ones you can ignore. "More than half of Microsoft's 72 major vulnerabilities last year will never affect anyone ever," says Tippett. "With patching, we're picking the worst possible risk-reduction model there is."

Tippett is at once professorial and constantly selling his own company's ability to provide the services that make patching less viable. But many thoughtful security leaders think Tippett's approach is as flawed and dangerous as automated patch management.

"There's no place for that kind of thinking, to patch less," says St. Elizabeth's Burns. "As soon as an exploit takes advantage of an unknown vulnerabilityand one willthose guys will be scratching their heads. He's using old-school risk analysis. How can you come up with an accurate probability matrix on blended threat viruses using 12 years of data when they've only been around for two years?"

Add to this a sort of emotional inability to not patchsort of like forgetting to put on your watch and feeling naked all day. Several CISOs described an illogical pull to patch, even if the risk equation determined that less patching is equally or even more effective.

There's also an emerging hybrid approachwhich combines the patch management software with expertise and policy management. It also combines the costs of paying smart people to know your risks while also investing in new software.

"There's a huge push right when P&L captains are telling CISOs to keep costs down," says Hernan. That might explain why the executive security ranks are far less enamored by the Patch Less/Patch More philosophies. The polar approaches haven't yet spurred CISOs to take sides so much as they've flummoxed them. Ambivalent confusion reigns.