John Pescatore

Huge number of patches for critical vulnerabilities came out this week from Adobe, Apple, Microsoft and RIM. Most will require machines to be rebooted in order to “take” – those are often the patches that cause the most problems. Many SLAs show 95% patching within 5 business days just becaused the patch was pushed – those using Network Access Control to baseline PCs everytime they connect find that it is more like 60% in reality.

There’s the old story about the right way boil a frog: if you throw a frog in a pot of boiling water, it will hop right out. But if you put it in a pot of nice warm water and slowly turn up the temperature, it will happily sit there until voila – boiled frog.  Now, I’ve never actually seen this tested but you can see it at work currently with the price of gasoline – many are claiming gas is “cheap” – just because it is not $4/gallon in the US. The slow creep back up to the $2.50+/gallon range has boiled a lot of frogs.

I’m feeling like the same thing is happening with software vendors and vulnerabilities these days. The worms of 2001 – 2003 caused the boiling water effect and many software vendors responded to customer pressure to take steps to improve the security quality of the development process and their support for the patching process. However, in the past several years, the Googles and Facebooks and Twitters and iPhones of the world have come along pushing consumer quality software with short development cycles – and I think this is working against us seeing more progress in continuing reductions of the numbers of critical vulnerabilities in software.

Take a look at how much you are actually spending on patching software – I think the water is back to being pretty close to boiling.

Submit a Comment »

Category: Uncategorized     Tags:

Share