On Sun, Jul 21, 2024 at 12:19 PM Hans <hans.ullr...@loop.de> wrote: > > I do not agree to this. Updates should be installed as soon as they are > available. Especially security updates. It shows , that within 24 hours after > the release of an update, an exploit is available for this security hole.
I think you may be conflating two different updates. The first is the OS or application's updates for a vulnerability, and second is the antivirus updates to detect an attack using the vulnerability. The science tells us that most compromised servers happen long after an exploit is disclosed and patched. The majority of compromises happen after 90 days, and continue for years afterwards. Confer, <https://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf>. So a Patch Management program that tests the OS or application vendor's updates within about two weeks is usually going to be Ok. Since it is the OS vendor or application vendor, it might be Ok to be very aggressive in applying the updates since the OS or application vendor are the experts for their product. That covers the first case - OS or application updates for a vulnerability. The second case is trickier - detecting an attack using the vulnerability. This is where antivirus comes into play. In my mind's eye, antivirus companies are an externality/third party, and their work needs to be tested even more than the OS or application. The testing needs to be more thorough because the third party does not have specialized knowledge of the organization or the OS or application. Yet the third party will likely run with highest of privileges, and violate a number of the tenets laid out by Saltzer and Schroeder. Confer, <https://www.cs.virginia.edu/~evans/cs551/saltzer/>. > But you should do it corrdectly, like some hospitals did: First check with a > canary (a testserver or some unimportant server), then, when everything is > working without any problems, roll it out to the rest of the servers. Are the hospitals checking the OS or application updates; or are they checking the antivirus updates? > Waiting for some days is a very very bad idea! > > I admit, that many people do not so, because they are comfortable and this > requires more work. But it is the correct way! > > And really: This is not a new knowledge, this practice is standard since years > (or should be everywhere). > > If one think, he must not do it and rely on the manufacturer, well his > decision. If it breaks, i have no pity for him. Jeff
