Home > Ask the Security Experts > Questions & Answers > Testing security patches
Ask The Security Expert: Questions & Answers
EMAIL THIS

Testing security patches

Jonathan Callas EXPERT RESPONSE FROM: Jonathan Callas

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site
>
QUESTION POSED ON: 09 February 2002
I am looking for best practices on how to test security patches before applying them. After what kind of testing do other shops consider a patch safe? I know it has to vary for different environments, but when does one consider that enough testing is enough testing?

In a perfect world (and I am dreaming "out loud" here), I would use an automated tool that would drive lots of different tests against a patched server and overnight it would give me a report stating that the results matched some predefined criteria allowing me to decide if the patch is safe, i.e. does not create other problems. Does such a tool exist?

>

Unfortunately, recent history makes it so that the best practice about patches is to install it as soon as possible, and the IS staffs are negligent if they delay. If you look at security problems having a window of vulnerability, delaying the install of a patch merely makes you more vulnerable. The problems they fix are so frightening that delay is bad.

You are right, in a perfect world, there would be a set of tests you can run against a server or workstation to make sure that things work properly. However, we don't get told what's in those patches, and so it is hard to know what to test. Often, the description of the problem is intentionally vague so as not to make it utterly obvious how to write an exploit program that can compromise machines during the time that IS groups are rolling out the fix.

In the case where a security fix is a browser fix, you are balancing the browser not working against one of your 10,000 users reading the wrong Web page that infects their machine. Pick your poison.

There aren't automated tools that can tell you if the patch is safe. It would be nice if there were. But alas, vendor software is not very good, and there's a reason they're creating the patch. Some Microsoft people I know told me that it costs them US$100,000 to release a patch. They don't do it because they want to. They do it because the problem is embarrassing enough to spend $100K to deliver a fix.

For more information on this topic, visit these other searchSecurity resources:
News & Analysis: Keeping up with patchwork near impossible
Tech Tip: Managing the patchwork mess

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Find Security Solutions for Your Business
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts