The security community continually despairs of how bad we are at keeping our systems up to date with the latest security updates be they from Microsoft, Oracle, Adobe etc. In fact this trend probably matches the classic bell curve of adoption of any new technology so there are a few early adopters, the mainstream followed by a small but long tail of those who cannot , don’t know about or can’t be bothered to move away form old technologies like XP and IE 6. This is a cultural thing and is therefore very hard to change. While a cautious approach to many technologies might be justified, I just can’t see any justification for not keeping up to date with security patches, with the possible exception of concerns about reliability.
Given that security and critical updates are a fact of life, I would then expect a company to have a process for checking the reliability of security updates, and if a particular update cause problems this would enable the precise issue to be flagged back to the vendor for resolution. What I can’t understand is a vague notion that some new update might be unreliable and hanging back to see if anyone else has an issue with it. I am curious about this approach as I am not sure what event or time lag ensures that applying the patch is more likely to work than when it was released.
Vendors obviously want to ensure these patches are reliable but they will have access to only so many testing environments and this can’t cover the variety of environments that are out there. Microsoft tackles this problem by recognising that there are early adopters out there who want sight of the patches asap for testing and has a process in place to make use of this, the Security Update Validation Program (SUVP). Selected customers are invited to join and they get these patched priori to release in order to test them out (i.e. not put them into production) , which means they can deploy patches immediately they are released as they will have already done their testing, while Microsoft gets feedback on the reliability form all the SUVP customers that the patch is OK to release.
So your choices are for applying security updates are:
- You are relying on the quality of the patches and deploying them as soon as they arrive.
- You’re doing your own deep testing when applying security patches as soon as they’re released, and deploy after testing.
- You understand the risk of not deploying these patches immediately and have balanced the cost of not testing and applying them against the risk and cost of losing service and /or data as the result of an attack and got sign off for this approach from the business.
- Your cv is update