A Customer Centric Approach to Patching Systems

Many organizations believe they are focused on serving the needs of their customers. They evaluate customer wants and desires and identify the functionality needed to meet these needs. Software developers identify updates and new releases while network administrators plan system upgrades and migrations. This approach of rolling out phases, issuing new releases, and upgrading networks used to work in the past when customers were focused on features and functionality. As more and more customers are concerned about security, a new approach is needed.

A Lesson From Microsoft

When Microsoft issues a new product, their software is often identified by the year of release. For example, Windows 95, Windows 98, Exchange Server 2013, and Microsoft Office 2013. Like most software, over time vulnerabilities are discovered. Many years ago Microsoft included security fixes with new functionality updates (Service Packs). By applying a Service Pack, a customer would address all known vulnerabilities up to the date of the Service Pack. Microsoft's customers soon found that vulnerabilities needed to be addressed more quickly and couldn't wait for the next Service Pack. Microsoft reviewed the needs of its customers and developed the concept of "Patch Tuesday".

On the second Tuesday of each month, Microsoft released software patches to address vulnerabilities. This too worked for a while until Microsoft discovered that customers didn't want to wait a full month to have software patched. More recently, Microsoft has moved to a rolling model of releasing patches on a weekly basis. Patches to critical vulnerabilities are now released immediately and customers do not have to wait for the weekly updates.

Network Platforms

Application software does not exist in an isolated environment. It resides on hardware and relies on the underlying operating system and other related applications (e.g. databases). These too can have vulnerabilities and must be patched and updated in a timely manner.

Migrating to a Customer Centric Approach

Migrating to a customer centric (i.e. customer focused) approach requires that application developers, system and network administrators, Chief Security Officers (CSO), and organization management prioritize security efforts and not wait for the next rollout of software and hardware releases. This change in mind set from functionality/features to security may not happen overnight, but it needs to happen for many of your customers (internal and external) that need to meet compliance requirements and industry standards.

The following steps help migrate to a customer focused organization:

• Top down management support and recognition that customers need timely security updates
• Identify changes in business processes to allow timely updates
• Document and distribute written policies and procedures
• Implement and enforce procedures, monitor to ensure procedures are being followed
• Perform annual (or more frequently if major changes occur) audits of web applications, networks, and organization compliance

Summary

Migrate to a customer centric approach and ensure that high and medium priority issues are addressed within 30 days of notice of the vulnerabilities. As Bill Gates once said ""Security is, I would say, our top priority because for all the exciting things you will be able to do with computers - organizing your lives, staying in touch with people, being creative - if we don't solve these security problems, then people will hold back.

Network security audits and web application security audits help identify unpatched systems.