Risky Business #141 -- Why does patch management STILL suck?
Thu, 02/25/2010 - 17:15
This week's edition of Risky Business is brought to you by Kaspersky and hosted by Virtual.Offis.
This week we take a look at patch management and ask why it still sucks. Security professionals have been advising their clients to sort out their patching processes for more than ten years, but it's still at the top of many, many a post-audit report.
We chat to Securosis analyst Rich Mogull about his research on patch management.
I've spent a fair amount of time in a previous life looking at Patch Management systems and trying to sell them into corporates locally. These products are ok when you get down to it, and some of the ones like Lumension (previously Novell, Patchlink) go one step further by testing patches for a lot of non MS software vendors and deploying them for you, making life easier.
The biggest problem is cost. These products for a large corporate will go into the $100k space with annual support costs which is a lot of money for what you get. Until someone is stung, they just wont spend that kind of money. And the reality is that WSUS can handle the majority of the patch deployment anyway for free. So all you get from third party patch managment solutions is support for non MS applications.
In essence, Patch Management sucks, no-one cares about it in corporate and its almost an impossible sell :)