Stop the panic when major bugs have to be patched

Patching is one of those less glamorous tasks that have to be assigned to IT staff, yet it is an essential part of a thorough security strategy.

But as Rafel Los, research director at security consultant Accuvant, points out in this blog, often IT departments and vendors panic when systems have to be urgently patched after a major problem like Heartbleed is discovered.

The reason, he argues, is that patching has evolved into an IT operations responsibility rather than the security team. After all, before patches are applied systems have to be tested thoroughly before the patch is put into production. The truth is, Los says, patch should be part of configuration and asset management.

“Enterprises that don’t operationalize configuration and asset management are doomed to repeat the cycle of lost productivity, frustration and panic,” he writes. “The panic that ensues when an organization identifies a major vulnerability and then has no choice but to find (or build) a tool to scan their environment to find the vulnerable assets should not become routine. Wouldn’t it be amazing if the primary mode for identifying these vulnerable assets was an asset database that was relatively complete with accurate data so they could simply dive in and find 75 per cent of the known systems that have OpenSSL on them, for example? After they patched those systems, they then could break out the scanners and find the unknown vulnerable systems and add them into the asset and configuration management system? How crazy is that?

“The reason this is important is that we are taking about incredibly high costs to productivity when security has to drop everything and go hunting and one-off patching.”

Enterprise security teams should more on Information Technology Infrastructure Library (ITIL) fundamentals, and asset and configuration management within their organizations, Los says. That way when a major system needs to be fixed IT can patch what it knows, then look for the unknowns in a methodical manner.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web