News Stay informed about the latest enterprise technology news and product updates.

Patch management study shows IT taking significant risks

IT pros need to take patch management processes seriously and more dilligently understand the plethora of applications being used by end users.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The latest research around patch management is a good reminder for security teams to move patch diligence up the stack to applications and to resist disabling signature checking for performance in UTMs.

Qualys Inc. presented an update at the recent Black Hat USA 2009 briefings to their Laws of Vulnerabilities research, a timely statistical review in light of the increase in Microsoft Internet Explorer, Microsoft Office, Adobe Reader, and Apple QuickTime application level attacks. The study, first conducted in 2004, is based on years of accumulated vulnerability scanning data of the Qualys installed base.

The surprise in the Laws of Vulnerabilities 2.0 research is that security performance in basic vulnerability management has not significantly improved over the last 5 years, while malware developers have improved the cycle times of exploiting vulnerabilities. For example, the time to patch a vulnerability in 50% of endpoint and server systems remains at approximately 30 days, with a dismal average of more than 50 days in manufacturing companies. This cannot be blamed on oblivious-to-security consumers as vulnerability scanning is driven by enterprise security teams.

IT needs to pay greater attention to applications that have been downloaded to desktops and laptops. These applications are becoming the primary point of attack for malware engineers because vulnerabilities are easier to exploit than say vulnerabilities on a server tucked away in a data center. In many cases, IT does not even know what applications users install on endpoints or if those applications are registered for automatic patch updates.

VIDEO: Qualys CTO on patch management study:
Vulnerability mitigation study shows need for faster patching: Qualys CTO Wolfgang Kandek says vendors and administrators need to find ways to speed up the patching cycle.

Application level attacks are taking advantage of the inattention given by security that leaves vulnerabilities exposed for more than a month. Application vulnerability patching is a security core competency and is a discipline that IT can control. IT can start by measuring vulnerability half-life for applications and systems software.

Users that have installed unauthorized software, or have taken the initiative to self-install applications needed to do their jobs better, probably have not signed up for support or security updates. Regular IT audits of software configurations will show the profile of applications across the user community. IT can use this intelligence to organize vulnerability patching, proactively negotiate more favorable license terms and pressure the application vendor to be more responsive with security updates. A regular audit program will quantify the risk to the organization. The bottom line: IT cannot help secure what they do not know about.

Trusteer CEO goes on offensive for better vendor patching mechanisms:
Trusteer CEO criticizes Adobe, touts better patch deployments: Despite critical Flash and Adobe Reader updates July 30, only a fraction of Adobe users have installed them, Trusteer says. Trusteer's CEO urges better patching mechanisms.

The persistence principle documented by Qualys shows that vulnerabilities are never eradicated from an organization. If IT assumes that a vulnerability always exists in the network, then network and host security products that operate on a subset of their attack signature base cannot provide adequate protection. In particular, some UTMs may reduce signature scanning to preserve performance. IT may want to examine virtual appliance packages where security performance can be boosted by installing the security software on a faster server without sacrificing granular attack detection.

Qualys does not have data on the world of consumer PCs, but it is safe to estimate that the application security situation is far more dire. Users may not keep up to date with security updates, and bootlegged software will almost certainly not be registered and would be ineligible for support. The Laws of Vulnerability is an exhaustive study that shows we can do better. It is a good reminder while we wait for application vendors to be more aggressive about patching their vulnerabilities.

Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.