The world of technology is evolving with the rapid speed and so are the needs of the user. So, keeping these things in mind along with the popularity of fast internet connections that are virtually always on has enabled software vendors to embed automated update mechanisms into many desktop programs. Though some users may find these updates cumbersome, most have come to accept the daily routine of updating their antivirus software and periodically installing critical Windows updates.

However, the generalization of automated software updates may ultimately create security issues for organizations. Who knows what updates are being pushed to user desktops and how they are actually installed? Who is responsible for preventing the installation of malware disguised as security tools? Although the practice of frequent client software updates and patching is generally accepted, particularly when these updates are security related; organizations and IT administrators are often reluctant to deploy patches on production servers regardless of the frequency of their release by vendors.

Administrators generally cite extremely tight maintenance windows as the main reason why security patches are not consistently applied onto production servers. In other words, administrators believe that their service level agreements (internal or external) do not allow enough time to bring down systems and apply the necessary updates and security patches. However, even when vendors do provide a predictable patching schedule, many organizations still do not apply these patches in a timely fashion. Perhaps the reluctance to apply patches or introduce changes in a production environment is attributable to more than just tight maintenance windows?

The resistance of organizations and IT administrators to apply patches may have less to do with maintenance windows and more to do with the cost and ressources required for adequately testing changes to prevent unforeseen outages. Production environments generally perform in a highly predictable fashion, and organizations and administrators are under pressure to ensure that these systems continue to do so.

There are many surveys going on this particular topic in one of the recent surveys conducted, respondents cited more time (wider maintenance windows) as the least compelling reason that would cause them to apply security updates more quickly or consistently. According to survey results, stronger motivators for applying security patches included better tools and documentation for testing and deployment, executive mandate within the organization, occurrence of a massive malware outbreak or a failed security audit. It is important to note that these responses were solicited from those responsible for the testing, deployment, or approval of security updates in their organization’s production systems.

The survey provided ample opportunities for participants to include comments. One common feedback was that organizational policies for security patching are typically limited to the desktop environment. Respondents felt that security flaws addressed in security patches in production servers are generally mitigated by security measures external to the affected systems.

The most telling aspect of this survey was that respondents often expressed anxiety or even fear about altering production systems. These business-critical systems must operate in a predictable fashion, and are considered too complex to tinker with. The combination of these factors fosters a situation in which organizations are not likely to apply security patches. This creates a paradox: The importance of the systems and the expectation of their near-always availability are obstacles to properly maintaining and securing business-critical systems.

Organizations must find a way to stay reasonably current with security patches while meeting their service level agreements. The following recommendations can help organizations more efficiently tackle security patching.