You probably remember my post regarding Oracle DBAs rarely install patches. It was about a study where Sentrigo claimed (after having asked 305 people) that more than 2/3 of Oracle DBAs do not install the patches provided by Oracle. Now Oracle recently published a blog post called To Patch of Not To Patch? with some interesting comments definitely worth looking at.
There are mainly two things I think we should look at:
One of their key statements is that every administrator has to find a balance between the risk of patching and the risk of not patching. This is definitely true. There is the well-known truth "never touch a running system". Well, how true is it really? Some time ago I had this discussion with representatives of the Pharma industry. A key regulation to fulfill there is about validated systems – mainly systems, where every change has to be thoroughly tested and documented as a failure could lead to significant problems with medications and finally even to loss of life. Now, the regulators and the companies over time had to learn that not touching a system bears significant risks as well. The challenge – and I agree there with the Oracle blog – is to do proper risk management. The key problem however is that you know one risk pretty well (the risk of applying a patch incl. the reboots and downtime of applications and, and, and ..) whereas the risk of not patching is unknown. What can we do as a vendor to help here? To me the answer is pretty straightforward:
- Deliver stable security updates people can trust and rarely break systems: When I talk to our customers, I get the impression that there are rarely issues with our updates. When I look at the support calls we get after a "Patch Tuesday" this confirms my impression
- Make it easy to deploy updates: This means that we have to provide you with tools and processes to deploy updates without mayor challenges and problems
- Keep the number of reboots to a minimum: Well, without doubt, there we have some room for improvement and we are working on that. It is, however, not too easy to solve.
- Be transparent: By keeping the highest possible level of transparency without putting you at risk by revealing to much information to the bad guys we can make sure that the decision which part of a system you want to patch in your hands.
- Oracle claims that by making all updates cumulative it helps the administrators as once you decide to patch, your system is patched completely. This sounds great doesn't it? What happens if one of these updates breaks your system and you need to uninstall just that single one until the problem is fixed? What happens if you decide that you do not want to patch a certain component as your risk assessment shows that this system is not accessible on a certain port and there is no reason to touch that part? Should you not be able to decide yourself? Knowing that we have IE which we normally patch cumulative, I am personally for the reasons above not a big fan of these updates.
Anyway, patching is always a lose-lose game. It is like selling an insurance policy: you have to invest for something bad not happening. So, where is break/even? What we can do (and have to do) is further reduce the number of vulnerabilities to make patching less necessary and implement defense in depth measures to make the vulnerabilities hard to exploit but will they ever go away completely? I doubt