Sophos Techknow - Patching: should you lead, follow, or get out of the way?

Filed Under: Featured, Malware, Podcast, Vulnerability

Welcome to Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.

In this episode, entitled Patching: Prepare, Prioritize and Proceed!, Paul Ducklin and Chester Wisniewski take a look at the challenges of security patching.

Do you really need seven committee meetings and a 90-day waiting period before you update your computers with the latest patches?

When Patch Tuesday rolls around, should you lead, follow, or get out of the way?

Find out what Duck and Chet think!

Listen now:

Listen later:

Download Techknow podcast


, , , , , , , ,

You might like

3 Responses to Sophos Techknow - Patching: should you lead, follow, or get out of the way?

  1. Gavin · 1141 days ago

    Great podcast -- I couldn't agree more with accelerating the patching process.

    For far too long, it has been an industry 'best practice' to roll out patches in a staged way, with a week between each stage. This means close to a month before production systems get 'critical' patches in the name of safety. Quite simply that just doesn't add up!

    I would love to see the standard practice being immediate patching of a well-monitored test group, followed by a rollout of those updates to the production environment after 24 hours. That way, a goal of 90% of machines patched within 72 hours would be highly attainable.

    I think software companies could help by providing clearer methods for backing out patches that fail, however. It is not always easy to tell what went wrong, which patch caused the error or to know how to reverse a patch that did not suit the environment -- especially if a company doesn't have the luxury of a virtual test environment. The more the software providers can ease that potential pain (however unlikely it is), the more confidence the general population would have in pushing ahead with less testing and more haste.

  2. Ben · 1141 days ago

    As stated early in the podcast, there's a difference between a security patch vs. a new features patch. But any patch changes existing code and any change to code could lead to other unexpected problems. Just about any Patch Tuesday results in people writing in to their favorite tech site or help forum complaining how a patch for one problem broke something else.

    I believe there's a middle ground. Rather than install patches as soon as they're released, I wait a few days. This should be enough time for other users to report potential problems. But certainly not so long (seven committee meetings and a 90-day waiting period) that those exploits can take over a single computer or an entire network.

  3. RMc-Canada · 1140 days ago

    Any ‘patch’ that has ‘security implications’ should be released ASAP, period. be it Windows update or whatever...

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog