Security experts bemoan poor patching

SAN FRANCISCO--Top security officers warned on Tuesday that patching software flaws is still far too difficult, with many companies left vulnerable because they are lagging behind on applying critical updates.

Vulnerability assessment firm Qualys supported the statements, made during a panel discussion at the RSA Security Conference here, with data culled from monitoring its clients' networks. The data, collected over two years, shows that it takes a month to cut by half the number of vulnerable computers connected to the Internet.

That's far too long to wait to fix the worst security flaws, said Gerhard Eschelbeck, chief technology officer and vice president of engineering for Qualys.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"What the data is telling us today is that we have a cycle of fixing vulnerabilities...that leaves up open to significant exposure," he said. "We need to make every possible effort to shorten the cycle."

The data and concerns spotlight a constant source of pain for corporate security professionals: Much of a company's security relies on patching software flaws, but applying such fixes to critical systems takes time, leaving the systems vulnerable. The large number of systems vulnerable to last winter's Slammer worm, which took advantage of a six-month-old flaw, underscores the issue, as does the MSBlast epidemic last August.

Microsoft announced in October that its quest to convince customers to regularly patch to secure software had largely failed. The company decided to revamp its patching systems, limit the release of fixes to once a month, and augment the upgrades with several other security initiatives aimed at locking down its customers' network perimeters.

The move to monthly patches got mixed reviews among the panel of experts.

"When Microsoft was sending out a lot of critical vulnerabilities, it got to the point where it was like the boy crying wolf," said Phillip Harris, vice president of information security for supermarket chain Safeway. "Instead of crying wolf all the time, they are crying wolf once a month."

He added that Microsoft's focus on delivering predictable upgrade intervals could work to the advantage of underground vandals and would-be attackers looking for a weakness in a company's systems. While Microsoft waits to perfect a patch, a company could be left vulnerable to an attacker who has already figured out the flaw.

"The people that are exploiting these vulnerabilities are not working on a schedule," Harris stressed.

However, another security executive said that the focus on taking time to produce problem-free patches should go a long way toward making it easier for companies to take care of the fixes quickly. Today, corporate security teams frequently find themselves testing the fixes to make sure that they don't break any critical business applications, said Dennis Devlin, vice president and corporate security officer for The Thomson Corp., a business information provider.

"The best practice in (patching) comes from the Hippocratic Oath: Do no harm," he said. "As long as the patches don't harm the systems, then they are good."

However, companies should also demand more from their software makers, said Mary Ann Davidson, chief security officer for database software maker Oracle. Developers need to start focusing, as Microsoft has done with its Trustworthy Computing Initiative, on changing development procedures to eliminate flaws, she said.

"I tell people to get out their pitchforks and firebrands," Davidson said. "You spend a lot of money on software, so you should get good software."

Davidson said one way to enforce better software practices is for the government to fund open-source tools to scan code for common security problems during development. Then, federal agencies could make it mandatory for their suppliers to use the tools and audit their code, she said.

Relying on private companies to fix the problem doesn't seem to work, Davidson said.

"Venture capitalists would much rather fund Band-Aid companies than vaccine companies," she said.

But for now, companies still have to tackle how to find the flaws in the wide variety of computers that form the backbone of their business. The problem is daunting to say the least, said Safeway's Harris.

"At times I feel that we are being managed by the problem, instead of managing the problem," he said.