Welcome to Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.
In this episode, entitled Patching: Prepare, Prioritize and Proceed!, Paul Ducklin and Chester Wisniewski take a look at the challenges of security patching.
Do you really need seven committee meetings and a 90-day waiting period before you update your computers with the latest patches?
When Patch Tuesday rolls around, should you lead, follow, or get out of the way?
Find out what Duck and Chet think!
3 comments on “Sophos Techknow – Patching: should you lead, follow, or get out of the way?”
Great podcast — I couldn't agree more with accelerating the patching process.
For far too long, it has been an industry 'best practice' to roll out patches in a staged way, with a week between each stage. This means close to a month before production systems get 'critical' patches in the name of safety. Quite simply that just doesn't add up!
I would love to see the standard practice being immediate patching of a well-monitored test group, followed by a rollout of those updates to the production environment after 24 hours. That way, a goal of 90% of machines patched within 72 hours would be highly attainable.
I think software companies could help by providing clearer methods for backing out patches that fail, however. It is not always easy to tell what went wrong, which patch caused the error or to know how to reverse a patch that did not suit the environment — especially if a company doesn't have the luxury of a virtual test environment. The more the software providers can ease that potential pain (however unlikely it is), the more confidence the general population would have in pushing ahead with less testing and more haste.
As stated early in the podcast, there's a difference between a security patch vs. a new features patch. But any patch changes existing code and any change to code could lead to other unexpected problems. Just about any Patch Tuesday results in people writing in to their favorite tech site or help forum complaining how a patch for one problem broke something else.
I believe there's a middle ground. Rather than install patches as soon as they're released, I wait a few days. This should be enough time for other users to report potential problems. But certainly not so long (seven committee meetings and a 90-day waiting period) that those exploits can take over a single computer or an entire network.
Any ‘patch’ that has ‘security implications’ should be released ASAP, period. be it Windows update or whatever…