Good Patching = Secure Software?


I’m way behind on posts, and just about everything else. So I’m just getting ready to talk about the post Bex threw out there about security. It was a simple enough post, asking people to participate in the IOUG Oracle Security Survey. Not using any Oracle product, except for databases that I don’t really control, I wasn’t going to participate. However, there was this neat tidbit:

With easy patching, easy maintainability, stable software, and a vigilant community, security is a natural by-product.

A commenter quickly mentioned how keeping up with patches can be expensive, if for no other reason than to test and verify each application during the patch process. In my more critical deployments, we roll software updates out in releases every 6 months or so, depending on a myriad of factors. To make the cutoff for testing, the patch needs to be released 2-3 months before a release so that it can be adequately tested.

Bex replies to the comment and explains how a good patch system reflects better discipline among the development team. My experience backs this observation up. Patching a system when the development team isn’t well disciplined can lead to nightmares.

Thus, in order to achieve the the goals of secure software, its more important for developers to understand the nuances of patch management, the dangers of code branching, and the law of unintended consequences.

A few hour-long seminars on security would prevent developers from making the really stupid mistakes… however, the nasty security problems are much more subtle… and frequently you don’t notice them until your system is live.

James Chimes In

The last line immediately brings to mind thoughts by James, and I wasn’t the only one to notice.

James responded to Bex’s post. His key difference was that if software was written with security in mind to start, then the patch wouldn’t be necessary. As I’ve stated before, you can test all you want, but the wild will always find things that tests, even automated ones, failed to find. So let us just take it as granted that patches will always happen.

Bex replies and mirrors my thoughts on this almost exactly, but with better detail.

If True Then Secure Software = Microsoft?

This is the fun part. If Bex’s supposition is true, does that mean that Microsoft has secure software? Their patching system is pretty good. By default, it is proactive and it is up to the system administrators to stop the Automatic updates. If a Microsoft patch isn’t applied, then the system is either really old or the administrators have chosen not to deploy patches.

This, of course, would seem to absolve Microsoft of lots of abuse that they take on a regular basis. We all know that it isn’t that simple. The original comment on Bex’s post shows the reality of trying to patch every three months in a large company. The company in the comment put a price on security and decided it was worth the investment.

James says that patches don’t equal security (though he is in favor of easy to patch software). In his last of the string of posts, he points to the frequency of patches provided by Microsoft as being too frequent. Bex alludes to the same thing in suggesting that the vendor should limit their patches to rolled-up patches.

This begs the question, is it worse to issue a security patch as soon as you have things ready or to wait until you have a bundle of them for a quarterly release? The answer appears obvious…Patch right away. This is what Microsoft does. You can wait and run Windows Update once a month, or you can take everything as it comes down the pike. Being able to decide your own risk is a good thing.

Do you know who has the best patch system? Online gaming companies. Maybe we can learn a thing or two about security from the gaming companies.

2 thoughts on “Good Patching = Secure Software?

  1. There is an old joke about the difference between theory and reality that I can’t tell here but I think the idea applies. In theory it’s more secure because you can patch it faster, in reality you have a lazy coders writing leaky software because they know its easy to patch and aren’t disciplined enough to deal with it in the first place. To be fair, maybe they don’t get time to test because the managers didn’t plan for it or test cycles got cut because the user didn’t want to pay for it. Regardless, patching doesn’t make software secure any more than the antibiotic you are taking strengthens your immune system. It kills the bug after you have it. Nevertheless, patching is a part of the IT immune system and if it isn’t healthy, your software dies.

    To answer your patch now or later question – that’s a function of how much you trust your QA not to let a patch crash your system. If you can afford either the risk of limited testing or better yet – have an automated regression test that your operations organization will trust – then patch as soon as you can.

    Like

  2. Lee, thanks for chiming in. I tend to beat my developers when they get lazy, so I don’t have that problem. 🙂

    Seriously, you raise several good points. I agree to some extent. I think a solid approach to providing patches is important and can lead to better designed software. However, it isn’t the answer, just one piece of the puzzle.

    Like

Comments are closed.