Patchy years ahead for software users

Dale Sweitzer, a network administrator for Crossville Ceramics in Tennessee, has hit a rough patch -- or series of rough patches to be exact.

Sweitzer, who handles security for 160 geographically dispersed PCs running Microsoft Corp. software, says that he spends more time and money applying software patches than he does doing almost anything else on the job, and he's not alone.

Although vendors like Microsoft have been working recently to simplify software patch delivery, the problem remains a critical one for IT administrators who are struggling to keep up with all the patch work.

From filling security holes to upgrading features, the act of applying patches, or putting a new piece of software code over an old one -- has become for many a full time job.

"Patching is a nightmare," said Alex Bakman, founder and chief executive officer of patch management provider Ecora Corp. The recent onslaught of security threats like Blaster and Slammer, have only aggravated the problems administrators face, he said.

According to Bakman, it takes an average of 30 minutes to apply a patch to each machine in a company's system, and hundreds of patches have been released by various vendors so far this year. Companies are selecting which patches they need to apply because their IT staff is already spending two to three hours a day patching systems, Bakman said.

"The current frustration level is incredibly high," Bakman said.

Of course, patching is just a symptom of the wider problem with software, users say, which is the gradual and seemingly endless discovery of new security vulnerabilities which must be patched and fixed throughout the software's lifetime, requiring an enormous amount of time and money.

"The total cost of ownership of software is incalculable," Sweitzer noted.

Vendors blame insecure code. However, eradicating patches by creating flawless software is impossible with imperfect humans writing software code.

"Despite all our best efforts, all vendors in this industry still have vulnerabilities," Steven Adler, senior security strategist for Microsoft in Europe, the Middle East and Africa (EMEA), told an audience of IT administrators at Gartner Security Summit in London last month.

While the patch situation doesn't look set to improve anytime soon, vendors say they understand the administrators' frustration and are working to improve the situation.

Oracle Corp. Chief Security Officer Mary Ann Davidson said that her company sees patching as the last phase in its security efforts.

"We try to do things right the first time but to err is human," Davidson said.

Oracle has a rigorous policy in place for testing and delivering patches, she said, and notifies customers of severe problems which can be exploited.

"Otherwise, we don't want to yank their chains. People don't have time to apply a lot of patches," she said.

Patching is also a big concern for Sun Microsystems Inc., according to Gilles Gravier, the company's managing director of operations for platform infrastructure and security in EMEA.