By: Pie

Pie — Fri, 11 Apr 2008 13:09:57 +0000

Lee, thanks for chiming in. I tend to beat my developers when they get lazy, so I don’t have that problem.

Seriously, you raise several good points. I agree to some extent. I think a solid approach to providing patches is important and can lead to better designed software. However, it isn’t the answer, just one piece of the puzzle.

By: ldallas

ldallas — Fri, 11 Apr 2008 02:26:55 +0000

There is an old joke about the difference between theory and reality that I can’t tell here but I think the idea applies. In theory it’s more secure because you can patch it faster, in reality you have a lazy coders writing leaky software because they know its easy to patch and aren’t disciplined enough to deal with it in the first place. To be fair, maybe they don’t get time to test because the managers didn’t plan for it or test cycles got cut because the user didn’t want to pay for it. Regardless, patching doesn’t make software secure any more than the antibiotic you are taking strengthens your immune system. It kills the bug after you have it. Nevertheless, patching is a part of the IT immune system and if it isn’t healthy, your software dies.

To answer your patch now or later question – that’s a function of how much you trust your QA not to let a patch crash your system. If you can afford either the risk of limited testing or better yet – have an automated regression test that your operations organization will trust – then patch as soon as you can.

Comments on: Good Patching = Secure Software?

By: Pie

By: ldallas