Feeds

Patch Management: Should it even exist?

Necessary drudge or Elastoplast?

  • alert
  • submit to reddit

The Power of One Infographic

Workshop From the outside in, it’s easy to question the need for software patching. “Surely,” some might ask, “If software was written properly we wouldn’t need the IT department to spend time patching it?”

The even more cynical might suggest that the whole thing is a money-making ruse – without the need for patching, we wouldn't have an army of other software firms writing patch management software, and before you could say HFNetChkLT the world would be a poorer place.

By and large, though, most software is written properly. The market has come to accept that software vendors ship code with vulnerabilities and that part of the joy of ownership/use involves a semi-continuous programme of updates and improvements, whether they involve fixing bugs, adding new functionality or addressing security flaws as they are discovered.

The only way to reverse this state of affairs would be to hold off on all new releases for a few years while development teams perfected their existing product sets and worked out how to create ‘perfect’ software going forwards. Although most IT professionals would welcome the breathing space, it’s not going to happen.

So how does it all pan out for the IT department running countless different software applications? Microsoft’s ‘Patch Tuesday’ has become a fixture on many an IT professional’s diary. It’s probably not their favourite calendar date but at least they know it's coming.

If every vendor has its monthly patch day we can easily appreciate why certain quarters of the IT industry talk about why we must reduce the ratio of effort between keeping the lights on and adding value, and are keen to offer tools designed to help IT departments do just that.

There is no shortage of tools in the market to help address patching activities and this may even play a part in making, or keeping, life complicated for the IT department. A tool which automates the patching process may sound like a great idea; but if your environment is currently patched on an ad-hoc basis (ie, with little or no formal processes in place to plan, test, track and report on progress) then implementing an automated system might not be the best thing to do immediately.

Then there is the question of which product or type of product to use. Vendors such as Shavlik, PatchLink and others offer ‘pure-play’ patching tools. But there are also tools which fall into this realm from related disciplines: change management, security management configuration management and life-cycle management to name but four. Then there are vendor specific tools, such as Windows-only tools from Microsoft.

Let’s be clear though. Patching is by no means a Windows only issue, but its ubiquity and programmatic bulk means that it will be forever both a target for nay-sayers/doers and an ongoing source of opportunity for Microsoft development teams and lots of others to boot.

Maybe the open source community has this area nailed. Continual, community driven change and development might just be a big cover-up for what the rest of the IT community using proprietary software sees as a pain, but at least it’s what they signed up for. And they get to say funny things like “Linux - it’s a patch for Windows isn’t it?”.

But then, maybe it doesn’t. In reality, open source has its own challenges on the patching/testing side. For example, it puts even more onus on the IT team to work out what each patch provides, what it doesn’t address and how to test it.

Proprietary or not, until the day comes that every piece of software in use from a third party lives ‘in the cloud’, the need for patching will continue. And then it will still continue, but you won’t care. While we wait for that special day, who’s got it right/wrong/easy/hard in your world when it comes to software patching?

Top three mobile application threats

More from The Register

next story
NEW Raspberry Pi B+, NOW with - count them - FOUR USB ports
Composite vid socket binned as GPIO sprouts new pins
Child diagnosed as allergic to iPad
Apple's fondleslab is the tablet dermatitis sufferers won't want to take
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
For Lenovo US, 8-inch Windows tablets are DEAD – long live 8-inch Windows tablets
Reports it's killing off smaller slabs are greatly exaggerated
Seventh-gen SPARC silicon will accelerate Oracle databases
Uncle Larry's mutually-optimised stack to become clearer in August
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.