I figured I would throw daggers at Bex Huff and his recent posting
I was shocked to discover that fewer than 20% of Oracle customers admit to applying the rolling security patches that Oracle releases... yikes
Bex, I bet you would be even more shocked to see how much it costs an enterprise to apply all those patches. Have you thought about patch management from a financial perspective? Let's say that a large enterprise has 500 IT software vendor relationships and each vendor iterates until they actually write their software securely. How many employees would it take just to understand the impact if this velocity were to increase?
CERT often says that 99% of security breaches are due to users not applying patches. In other words, 80% of Oracle customers choose to make themselves vulnerable to 99% of the attacks.
Can we acknowledge that the patch existed because the base software wasn't written with security in mind in the first place? Can we also acknowledge that the reason for the patch probably wasn't because the software vendor wasn't being proactive in terms of finding security defects and instead relied on the outside world and their customers to find them? Bex, I wonder if you were to take older Oracle code and run them through a static analysis tool such as those provided by Ounce Labs
and others, would the patch needed to be created later or could it have been discovered earlier in the product lifecycle?
I'd argue most security problems are due to improperly configured and improperly maintained software.
At some level, I agree. I guess customers configure things improperly because the software allows them too! Maybe, software vendors should choose configuration options where it is secure by default vs expecting customers to configure it securely? Can we at least acknowledge that for many products, us stupid customers tend to either configure things through wizards and/or take the defaults?
If you want secure applications, first demand software that is effortless to patch and maintain.
We are in full agreement here but there are some challenges. First, I have no idea what are the
practical considerations around writing software to make patching easier. Do you think others in the blogosphere would be willing to dedicate a couple of blog postings to help figure this out?