Feeds

The practical guide to patch management

Get back in there and build me a proper business case

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Paper trail You may have noticed how often these days IT vendors talk about "building a business case". They want to furnish you, the IT pro, with the info to persuade sceptical business unit managers, or B.U.M.s as they are sometimes known, to buy their stuff for the good of mankind.

Let us put to one side the notion that this is perhaps something that the IT vendors should be doing themselves. More interesting is that the need to argue for sensible stuff like a proper patch management process or a web application security strategy, shows how high the stock of the penny pincher has risen - or how low the standing of the IT security pro has fallen.

And so to the Reg Library for two papers from a couple of industry heavyweights on building that business case.

A practical guide to building an effective patch management process

Building a business case for patch management is the most crucial step to obtaining executive support, says Dell as it sets out its stall. An unpatched vulnerability can result in "loss of customer confidence, productivity and legal ramifications if not properly resolved", the company notes. And as Dell says, the overall cost to a successfully exploited vulnerability can easily exceed the cost of patching against the vulnerability.

This paper is all about the process and the bureacracy of patch management. The company itemises the steps that should be taken to articulate the business case for patch management. It argues for the formation of a patch and vulnerability group and suggests a charter to map out the team's responsibilities. The paper contains lots of links and practical advice on policy. A useful, if somewhat dry, guide.

The business case for application security

“the problem of insecure software is not primarily a technological problem, it is an economic problem.” - Bruce Schneier.

The above quote, cited approvingly by HP, encapsulates the company's challenge in building that business case for web application security. The complexity of web applications creates a larger attack surface than ever, as we examine in our upcoming webcast Jump-start your application security initiatives.

It is self-evident to us that HP is right in saying that "risks from web applications justify making a commitment to secure application development and procurement". But this appears to be less obvious to many of the company's prospective customers.

The paper's main goal is to convince the reader that "excellence in application security is achieved by embedding security into the complete application development lifecycle. A security vulnerability is a software defect that should be identified during development. Incorporating security into the very beginning; from strategy, planning, design, coding, testing, and operation is a proven approach."

Application security is also part of good corporate governance. But HP notes that security practitioners "sometimes need to be reminded of the extent to which business executives are willing to take risks as a part of corporate strategy. Risk is opportunity, and chief executive officers often are huge risk takers, for good or for bad." Don't we know it.

The paper runs through various business case models for application security and ends by mapping out where its technology sits within the application lifecycle. Not bad at all. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.