Security Holes Aren't Being Filled
from the of-course-not dept
There’s a new study out talking about how many sysadmins don’t do a very good job patching security holes. The study and its conclusions seem a bit flawed, however. First, the “study” is based on one single flaw that one security consultant decided to follow. He did a Google search to pick servers that had that flaw (he apparently found out about the flaw right before it went public). Then he kept testing those servers over time to see who fixed the flaw. Since it’s only one instance, it’s not clear how conclusive this study is. The conclusions also seem a bit off-base as well. The guy says he thinks that the sysadmins who didn’t patch the hole are clearly lazy. However, with the incredible number of security hole announcements that come out every single day, I think it’s more of a “crying wolf” situation. There are only so many security holes that sysadmins are going to respond to, and after a while they don’t see the threats as being that strong, compared to the actual effort of patching.