It’s Tuesday; Do You Know Where Your Patches Are?

Posted By Jonathan Bloom on April 12, 2011 | Application Failure

It’s Patch Tuesday again. The monthly rite of passage for Microsoft as it attempts to patch some of the holes in its software that it didn’t bother to fix before they put it in the box as well as those exposed after the software had been installed in millions of devices.

This month in particular, Microsoft has a “record number” of patches. In fact, Gregg Keizer at Computerworld wrote that,” Microsoft announced that next week’s monthly security update will feature a record-tying 17 bulletins that patch a record 64 vulnerabilities, 15 more than the previous largest-ever set in October 2010.” He adds that nine of these are “critical bulletins,” affecting Windows XP, Vista and Windows 7, and at least some must affect the kernel.

In addition, Redmond Channel Partner reported one of the critical security patches “ appears to be the long-awaited cumulative fix for Internet Explorer. It will address every supported Windows operating system and covers IE 6, 7 and 8 browsers.”

It’s not like security patches or patching the kernel is anything new or uncommon for Microsoft.  Every other month for over a year now, Microsoft has been sending out a kernel patch.  So now, we’re talking about security and the core of the operating system containing flaws and vulnerabilities – multiple flaws and vulnerabilities. This sounds an awful lot like Microsoft is building on top of structurally unsound foundations.

Poor Performance

I’m wondering how other industries would survive if they, too, had to send out fixes for known issues on a monthly basis. Can you imagine Ford, GM or Toyota holding a “Recall Thursday”? Just picture having to line your car up at your dealership’s repair bay the second Thursday of each month for them to replace the faulty radiator hose or universal joint that someone had “just discovered” was faulty.

And I guess that’s where the real issue lies. Exactly when does Microsoft know about the flaw or vulnerability and should they have known about it sooner? Some conspiracy theorists out there think that they actually do know about it and that Patch Tuesday is a way to either market themselves as the “good partner” by offering the fix to a problem or, for hard core “conspiracists,” a way to take a sneak peak at what you’re doing with their software and possibly even disable XP to force an upgrade to Vista. I’d say it’s all in whom you believe, but I can’t in all honesty believe any of those theories.

Regardless of whether it’s some great, untold conspiracy or just oversight, there should be some increased level of scrutiny the development phase to ensure the application software – and especially the core and security of operating system software – is neither flawed nor vulnerable since a malfunction of mission critical software or leaving a company’s network open to hackers can lead to major business risk.

A Window to the Solution

Microsoft is not alone in this problem – it seems like every week there’s another company or industry battling a software malfunction. Paul Henry, a forensic and security analyst at Lumension even told Redmond Channel Partner that the spike in Microsoft vulnerabilities is due, at least in part to “third-party software designed to run on Windows or that users with Windows systems download.”

Nevertheless, listening to this and seeing the monthly patches come down the pike from Microsoft, we have to believe there’s gotta be a better way to do business. This “Patch Tuesday” stuff is little more than putting band aid after band aid on the problem. There has to be a way to assess the structural quality of application software during the build so the structure of new code as well as the code that it’s written on top of can be scrutinized for issues with complexity, security, robustness and just plain flaws.

Well, there is. More and more large corporations are using a system of automated analysis and measurement to do this, but it needs to be put into use across the application software development industry. Automating the application software assessment process allows development teams to review exponentially more than can be reviewed manually. Ideally, such an assessment would be measured against a set of standards set by an organization and agreed upon by the leading software developers in the world so that every piece of software could be certified as being as free of flaws and defects as possible or “Up to Industry Standards.”

Until automated analysis and application software standards become commonplace, I guess we’ll just have to keep “risking” it.

I wonder what next month’s Patch Tuesday will have in store for us!

Tags: Application Quality, business productivity, Microsoft, Patch Tuesday, Security, Software, Software Development, software failure, Software Quality, structural quality