Posted by: Robert Westervelt
patch management, patching, software updates
When was the last time you considered the state of your vendor relationship? Are they doing anything behind your back?
Google recently presented the results of its study touting that users of its Chrome browser are far more likely to have the latest version installed, because Chrome includes a silent update feature that automatically checks and installs the latest version with virtually no user interaction.
Software updates have become ubiquitous with all applications, regardless of their purpose. Sometimes the user must check for a new version, but often an automated process checks for an available update and then prompts the user to approve its installation.
I must admit that like many users, when I am moving quickly on a task, I’ll sometimes delay an application update for another time. But keeping that update process silent, without the user’s knowledge, strikes me as putting security ahead of the user. If I want to surf the Web without antivirus protection, I will do so. If I want to remain on version 1.x instead of 1.5, I want the ability to have that choice. When was the last time you got into an automobile and an automatic seat belt swung into place? Admit it, the auto industry caught on. Even though seat belts could save a customer’s life, automatic seat belts are a thing of the past. They were too intrusive, resulted in less choice for the driver and passenger, and ultimately, I bet they hurt sales.
Mozilla’s Johnathan Nightingale got it right when he said Mozilla prides itself on giving its users information. “We make certain choices, like telling users when security updates happen, and not automatically upgrading users to new ‘major’ versions … because we think it’s important to give our users that information and choice,” he said, explaining his take on the Google study.
Software as a Service and cloud computing services could dramatically change the discussion around patching. But perhaps more importantly are the questions that remain unanswered. Marcus Ranum, CTO of Tenable Network Security Inc., asked the following two questions:
- Why are we running software that is so bad it constantly needs patching?
- Since the “security researchers” have been saying for 15+ years that their bug-hunting activities are part of “making software better,” can we declare that effort to be a failure, yet?
It’s possible that if the industry starts to adequately address the issues within the software development lifecycle, the patching discussion will become a moot point. Bruce Schneier said something several times at the 2009 RSA Conference that stuck in my mind: Cloud computing is about trust. Do you trust your vendor? I suspect we are trusting our software and hardware vendors to a certain extent. By downloading a piece of software or buying an electronic device, we are engaging in a relationship. The fact is, by making software updates silent, the vendor is doing something behind our back. It’s something that begins to question our relationship. Isn’t that when relationships have a tendency to fail?
For now, I’ll happily continue to put off my software updates until they’re convenient for me. And yes. I wear a seatbelt.