BOSTON -- Who hasn't installed a patch that ends up breaking another application? Wouldn't it be nice if there were an independent group that tested patches to make sure they don't disrupt common applications?
That is exactly what Richard Clarke, the White House's former cybersecurity advisor, suggested this week at a chief security officer (CSO) roundtable sponsored by scanning services provider Redwood Shores, Calif.-based Qualys Inc. "Companies get patches from Sun, Microsoft and Oracle that they say are to fix problems, but they don't say what other things [the patches] would do to the network," he said.
Clarke envisions an organization like CERT would handle the patch-testing duties. It could test new patches against perhaps the top 100 applications from companies like Siebel Systems Inc., PeopleSoft Inc. and Oracle Corp. Custom and proprietary applications would have to be tested in-house.
Some companies have strict policies in place to test patches before rolling them out on production systems. Framingham, Mass.-based research firm International Data Corp. recommends that enterprises set up pilot labs for testing patches, said Allan Carey, the IDC's program manager for information security services and a member of the panel. "A lot of companies have seen patches not do what they were supposed to do," he said.
A centralized body to handle testing would save companies a lot of the work they repeat to test patches, Clarke said. That saved time is precious, because the window of opportunity for patching systems -- the time between when a patch and its corresponding exploit is released -- is getting more narrow. A version of Clarke's idea was included in the National Strategy to Secure Cyberspace.
Regardless of whether the patch-review body is a good idea or not, the logistics of such a system are far from simple.
For starters, some administrators and experts contacted by SearchSecurity.com wondered who would pay to support such an organization, in addition to other concerns. The software vendors would probably balk at coughing up the money because they already spend so much on testing their own patches internally.
In fact, companies like Microsoft have sophisticated testing environments that they use for checking their patches, said Tim Mullen, chief information officer and chief software architect for AnchorIS.com, a developer of secure enterprise-based accounting software. It's unlikely an independent patch testing body would have enough resources to test all the different application versions that people are running, he said.
Moreover, some system users doubt such a body is even realistic. "It sounds great in theory; however, the combinations and permutations of test environments would make this impractical," said Andrew Moffat, CEO of Ottawa-based Educom TS, a software developer specializing in e-mail management. "I do not want to wait for a week or so to have an independent body check it and then make it available."
Sometimes security alerts are so severe that companies install patches and worry about breaking applications afterwards. "We would rather deal with the breakage the patch may cause rather than expose ourselves to the risk," said Michael Lawrence, network administrator with the city of Lenexa, Kan.
There are also informal resources that IT administrators can use. "[Any] good administrator will also keep his eye on the various newsgroups to see how the patches are holding up under real-world conditions before rolling them out himself," said Dale Jackaman, director of IT systems for Vancouver, British Columbia-based BC Research Inc.
FOR MORE INFORMATION:
FEEDBACK: What's your biggest patch management issue? The number of patches, patches that break applications, or testing patches? And why?
Send your feedback to the SearchSecurity.com news team.