Servers still not patched

  • Article

I just read an article this morning on Linux servers under the Phalanx gun: A problem with people, not code. There were quite some things which made me think when I read it:

There was a statement in there, which I – obviously – did not like at all: Linux may be inherently more secure as a system, which is always an interesting discussion. The guy writing the blog post claims that Linux is easier to secure than Windows, which I completely disagree with. If you know what you do you can secure each and every system. However, we do a great deal of work to make sure that our systems are as secure as possible by default and additional provide you with tools (like the Security Configuration Wizard) to make sure you can secure the system as far as possible and additionally run as secure as possible. We know and proved it with a lot of figures that our systems have by far less vulnerabilities than others (e.g. https://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx) and third-party research showed clearly that our systems are less at risk than others.

But as I commented several times already, this discussion does not really lead to more secure systems but just some entertainment for people who like these debates.

Coming back to the article above: One of the conclusions in the article is, that patching is often a people and process problem, rather than a technology problem. This is not new either. The question to me is, why do people not deploy? We do customer surveys about their satisfaction with Microsoft every now and then. People are still not too satisfied with the security of our products. So, there is still a lot of work to do. However, if we ask then whether our updates are easy to deploy, we get a very, very high rating all across the segments and audiences. So, why do they not deploy? Is it because they are afraid of the downtime? Could be, so we have to work harder to reduce the number of reboots (is this different in other OS? I do not know but I doubt). Is it the tools? Is it lack of knowledge? Is it ignorance?

I do not know but would love to understand

Roger