Should Microsoft pay your security patch costs?
Posted by Arnaudt on 31 January 2003 - 16:55 · 9 comments & 1154 views
About the Author
Full name: Unknown
Forum name: Arnaudt
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: Arnaudt
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
#1 Posted by Edge on 31 Jan 2003 - 17:24
- [quote]Gates, Ballmer and the other Microsoft execs are probably still cooling down, trying to avoid strangling the company's system administrators.[/quote]
-
(1 reply)
#2 Posted by Mr. Black on 31 Jan 2003 - 18:03
- Obviously Microsoft doesn't hire the best System Administrators...I take a day out of every couple weeks seeing if there is any updates to my Software, including Windows. Microsoft can't program software correctly without 1 billion exploits and bugs, and they can't patch their own software and servers. What m0r0ns...
-
#2.1 Posted by JaggedFlame on 31 Jan 2003 - 18:34
- Either my math is messed up, or I just don't understand how around 60 patches a year equates to 1 billion exploits and bugs.
-
#3 Posted by Tom Servo on 31 Jan 2003 - 18:07
- OMFG, make a company pay for havoc caused by lazyness by others. Yea right.
-
(2 replies)
#4 Posted by JaggedFlame on 31 Jan 2003 - 18:33
- [quote]Should Microsoft pay your security patch costs?[/quote] Should journalists find new jobs?
-
#4.1 Posted by mezz on 31 Jan 2003 - 20:27
- Too bad, there's no way for you to cover and make M$ looks good on this issue.
-
#4.2 Posted by JaggedFlame on 01 Feb 2003 - 00:45
- You've got to be kidding.
Once you can explain to me why I should take this article seriously, maybe I'll take back my opinion.
-
#5 Posted by womble68 on 31 Jan 2003 - 18:38
- It does depend on the Database/Software being used with SQL Server. Half of the the time these patches break things. This is just as valid with an old patch as a new one. Applying patches without checking their implications usually ends up with problems. This could be one good reason why Microsoft, etc didn't patch their own server's - possibly because they knew it'd cause their systems to be less stable?!?! Just a possibility.
-
#6 Posted by ir0nw0lf on 31 Jan 2003 - 18:56
- Guess Micro$oft didn't learn from the same problems last year huh? I believe they had similar problems with unpatched servers last year. It's hard to "trust" a company that urges/demands their customers to patch their leaky servers, when they themselves don't take a dose of their own medicine and patch their own.
The worst part is that a patch for the vulnerability exploited by the Slammer worm was issued last summer and was included in the latest service pack for Microsoft SQL Server 2000. In fact, the majority of successful hacks come as a result of an exploitation of a known vulnerability. In failing to apply the updates to some of its servers, Microsoft didn't follow its own security polices. Gates, Ballmer and the other Microsoft execs are probably still cooling down, trying to avoid strangling the company's system administrators.
Given that a patch was available, Microsoft should not have both feet held to the fire. Gates and company are extremely serious about removing the stigma attached to the level of security in its products. With customers looking to cut costs and Linux initiatives cutting into Microsoft's dominant share across multiple markets, having a reputation for defective, insecure products is not helpful in convincing customers to stay the course.
As part of the year long focus on security, the company claims that it retrained 11,000 developers--at a cost of more than $200 million in lost productivity--to make its products more secure. Tools like the Microsoft Baseline Security Analyzer, which scans systems for common misconfigurations across most of the company's products, are popping up.
But it's the customers who are also stuck with escalating costs to deal with vulnerabilities from Microsoft and many other vendors at a time when cost reduction is crucial IT priority. Sticking customers with the cost of maintaining the security of products is unacceptable. System administrators who fail to apply patches are certainly to blame in cases where a fix was available, but it's not that simple.
Applying patches can have unintended consequences. Because patches that fix one problem can create new ones, system administrators are understandably conservative when it comes to deploying patches without rigorous and time-consuming testing. Microsoft is trying to address the problem with its Software Update Services (SUS), which allows customers to download relevant patches to a SUS server and test the patch before deploying it in a live environment. But the cost of running those compatibility tests is borne by the customer, and the test isn't going to replicate exactly the live production environment in which the patch must live.
And, as Microsoft's own problems with the Slammer worm point out, keeping up with the stream of patches required to stay ahead of hackers is not easy, especially in an environment with downsized IT departments. In light of this situation, I have simple proposal. Microsoft makes products that have defects. It may be the result of a complex eco-system in which making millions of lines of code invulnerable to hackers is a Sisyphean task. Still, the cost to implement patches is a financial burden to Microsoft's customers.
With more than $40 billion stashed away, waiting for a good use besides providing a dividend for shareholders, Microsoft should use a small amount of those cash reserves to pay customers for the cost of testing and installing patches that address specific vulnerabilities. You don't pay to have your car repaired when a manufacturing defect is found.
Microsoft may be the biggest culprit because of the huge Windows market, but it's obviously not alone. The Red Hat Network, for example, routinely posts patches to address security vulnerabilities with its Linux distribution.
Any vendor whose products need patching due to security vulnerabilities can cut you a check for the labor associated with installing patches. And who should foot the bill for downtime and lost business due to a security breach in a specific piece of software? Maybe the vendor should help to pay your hacker insurance premium.
It will take time to sort this out, but the cost of keeping your network and systems secure should be a shared burden, not just a cost of doing business.