Software patching is a necessity for every business and yet a decade after this idea became an established fact it still looks and feels more like a risky black art than a predictable form of engineering. There are a number of complex technical problems in play here but a new analysis from security firm Tripwire has come up with a single phrase it thinks sums up the condition as a whole: patch fatigue.
Security firms like to ambulance-chase problems because there are always plenty of problems to chase but 'patch fatigue' doesn't feel like the usual hyperbole. Amidst survey numbers drawn from talking to nearly 500 US-based IT professionals, it identifies a number of pressure points that seem to be getting worse rather than better.
The business world has never had so many patches from so many vendors, many of whom never used to update anything unless their software minions has written a new version of a product. It should be the ideal world and yet it has become very heavy going. The contribution this state of affairs has made to software insecurity is impossible to calculate but it's clear that without some new thinking, something will eventually topple over.
First, some figures that underline the scale of what lies behind the term 'patching' itself. Based on the Common Vulnerabilities and Exposures (CVE) database, 2015 saw 6,000 new vulnerability additions across a wide range of products, vendors and open source projects. Most organisations above a certain size will be affected by several hundreds of those, between one and three per day.
According to Tripwire, almost half of the IT admins it asked admitted they were now struggling to keep up with patching, with 76 percent owning up to being confused about which patch should be applied to which system. The connection between this and the negatives outcomes such as data breaches is hard to assess but the importance of software flaws in documented attacks is there for all to see.
Issue 1 - patching has become too time-consuming
Tripwire's assumed desktop image would have required 188 security patches during 2015 with these having to be applied across anything from a few hundred to 5,000 systems in an organisation. It sounds like an obvious problem but patching has risen dramatically over the last decade as the scale of software vulnerability and exploits exploded. If applying some of these patches requires a dreaded reboot, the process of applying them in a server environment can quickly become onerous and lead to downtime.
Issue 2 - some vendors are easier to patch than others
The easiest to patch were said to be Google's Chrome, Red Hat Linux, WordPress while the toughies were Oracle Database, Oracle Java, and Cisco IOS. Interestingly Microsoft Windows and VMware vCenter divided opinion, making it on to both lists. Some people find them a pain, others don't. Overall, however, Microsoft was seen favourable, Oracle definitely wasn't. Cisco is seen as too complex.
Sign up for CIO Asia eNewsletters.