Security Holes Aren't Being Filled

from the of-course-not dept

There’s a new study out talking about how many sysadmins don’t do a very good job patching security holes. The study and its conclusions seem a bit flawed, however. First, the “study” is based on one single flaw that one security consultant decided to follow. He did a Google search to pick servers that had that flaw (he apparently found out about the flaw right before it went public). Then he kept testing those servers over time to see who fixed the flaw. Since it’s only one instance, it’s not clear how conclusive this study is. The conclusions also seem a bit off-base as well. The guy says he thinks that the sysadmins who didn’t patch the hole are clearly lazy. However, with the incredible number of security hole announcements that come out every single day, I think it’s more of a “crying wolf” situation. There are only so many security holes that sysadmins are going to respond to, and after a while they don’t see the threats as being that strong, compared to the actual effort of patching.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Holes Aren't Being Filled”

Subscribe: RSS Leave a comment
ctrlz says:

Re: don't forget...

There are even more reasons:
1. there are always a chance that patches will break something…
2, many software products are supported only on certain patch levels. i.e. Service Pack 3 for Windows NT. If admin installs newer service pack –
he is on his own.
3. patches still cannot ( mostly ) be installed without downtimes. By installing patches admin has no chance to reach 99% uptime on unclustered servers. At the same time *ADMIN, YOU DO NOT UNDERSTAND, BUSINESS SIDE NEEDS IT*

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...