Wuchner-Brühl, who is on Microsoft's security advisory board, said that the software maker is paying closer attention to customers
concerns.
However, the company's most recent security changes will be of little help to him. Wuchner-Brühl manages a system of over
3,000 mixed servers in a "qualified" environment, meaning that detailed reporting of any changes to the files and systems
must be documented. Novartis is a pharmaceutical firm and must comply with detailed healthcare industry regulations.
In addition to the 30 minutes it takes to apply a patch, his staff has to do two to three hours of paperwork to document the
patch.
"In a qualified environment there is a lot of work behind the scenes, you don't just apply a patch," Wuchner-Brühl said.
The company already collects patches for a monthly update and combining multiple fixes in one patch can actually create more
work in qualified systems because administrators have to document all the changes, whether they thought they needed them or
not, Wuchner-Brühl said.
Even administrators working in an unqualified environment have to do more work than simply applying a patch implies. Most
companies test the patches on an isolated system first to make sure it doesn't "break" an application, especially if that
application is customized.
In fact, fear of breaking applications deters many companies from applying patches that they need, according to Ecora's Bakman.
Companies will put off patching, and certainly won't go through the process at critical times, like before a big retail or
holiday season, he said.
Oracle's Davidson added that, "people won't apply patches for anything in the last three weeks of the fiscal year because
they don't want to risk their systems going down."
Still, patching is just a symptom of underlying problems with software, Wuchner-Brühl noted. To address vulnerability issues,
software vendors are increasingly looking to offer more secure products from the outset under "secure computing" initiatives.
Microsoft, for example, has said that it is rolling out technologies to protect customers from problems such as buffer overruns
which are often exploited by hackers to takeover computers, and to offer protection against attacks on communications ports.
The Redmond, Washington, software maker has said that its upcoming desktop operating system, code-named Longhorn, will be
more secure. Longhorn isn't due until mid-2005, however.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
