We all need open standards

By on
We all need open standards

The latest SANS "Top 20" vulnerability list was released recently. While it needs to be taken with a pinch of salt, it did come up with an interesting observation. It seems the focus is shifting, from holes in OSs to those in applications.

This might even be a good thing if it means that, finally, people are regularly patching their OSs. Despite being a regular whipping boy for the security community, Microsoft has done some excellent work in patch management over recent years.

New installations of Windows will nag you if you don't enable automatic updates, while free Windows Server Update Services provide corporate users with centralised management and reporting. There's also the Microsoft Baseline Security Advisor, another free tool that checks for missing patches and common configuration problems. It's a great improvement from the days when I had to maintain my own list of applicable hotfixes.

Unfortunately, in the application world things aren't quite so comfortable. Many desktop applications now have a "check for updates" button, but the general rule for "serious" applications such as firewalls, backup software and databases is that you still have to keep an eye on the websites and announcement lists to find out when patches are being made available.

In the corporate world, even the "check for updates" button is a mixed blessing. Not only can it result in wasted bandwidth due to multiple downloads of the same update (and no, your proxy won't always sort this out), but there are also risks with installing patches. Updating any software to fix one problem can easily break something else, so there are a range of products around now to control patch installation in a more risk-managed fashion.

But this causes a lot of wasted effort. While there are some fledgling open standards to define how to detect if a patch is needed and then find and install it, most commercial offerings use their own proprietary standards. So when you release a new product, each vendor has to handle its own updates.

Wouldn't a better option be to adopt an open standard to provide the relevant information. This would then make the turnaround much faster and give the end users a wider and, hopefully, cheaper choice of products.

I think I might be being a bit optimistic, though – after all, we still have trouble standardising the names of most viruses and vulnerabilities. But I live in hope.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?