Sat, Jan 7 2006 20:34
Over my dead body
On a couple of listserves and blogs the idea that now that this patch got out so quickly that all patches can get out this fast.
First off, I think that's a simplistic view as not all patches are created equal. This one was a small file. Take a look at the IE patches and their file manifest. Huge in comparison. Thus to say that say an IE patch can be written, tested, and signed off in the same fashion as this patch is ... I think... too simplistic of a view of how 'change management' works and how each security issue is not the same as another.
It's easy for bloggers to say 'oh we need to demand beta patches as admins can decide the risk and apply them" and not realize the near 'freak out' that I'm sure would result because quite honestly we have no clue whatsoever as to our real risks out here. None. Zilch. And as a result, each of us would think that we are in need of that fix. So what would happen? Untested patches unleashed on our networks. Okay so how do we track issues now? Is it beta version 1 of that patch you are seeing that with or beta version 2? Yeah right, that would work out well wouldn't it? We'd have absolute freak out on our hands.
Furthermore, I don't see these posters and bloggers in the newsgroup on the day after patching when, on the rare occasion, we do see issues. I don't see you there helping that computer user try to get that box into a usable condition. It's easy to ask for this when you are where you are at and do have the resources to handle such things, unlike most home and small businesses.
Yeah there are times that I will look at how long a patch takes to come out and wonder ...gee..that's a long time... but at the same time... I ...nor many out here making these demands...have no idea of the process that it takes to get a patch out, coded, tested on the umpteen versions. It's easy to say these things when we're on this side.
Some have suggested that beta patches be handled like KB articles so that you'd call into PSS to get them. And all that would do would to get code that could be reverse engineered into the hands of the bad guys that much faster.
I'm not saying that I know the right answer here, the right balance, or anything. But I'm tired of 'standards' and 'best practices' being used in such an easy way without understanding what you are saying and asking for. Sometimes 'standards' force you into being too rigid and not being agile enough. I'm not going to ask for a standard patch build timeline because we truly have no way to set such a standard. Some issues may be so deep and embedded in the operating system that it will need additional analysis.
I do like the once a month patch deployment because it means I can plan my month and security accordingly.
The standards that are in place now... a patch no sooner than it's ready... a patch for all critically vulnerable systems at the same time.... a patch for all languages..... a patch for all versions.....released on patch Tuesday unless it's an unusual event.....that's enough of a standard in my book.
Except for one more standard....... over my dead body will untested patches be unleashed on the SBS community. That's one standard I will enforce.
Filed under: Security