On Patch Management

    June 8, 2005
    WebProNews Staff

Microsoft sought to combat a widening public perception that open source solutions (OSS) were less expensively patched than comparable Windows systems.

The Redmond-based software company funded a 2004 study with respected consulting and services leader Wipro Technologies. The methodologies of the study, called “The Total Cost of Security Patch Management”, were audited by The Meta Group. Results of the study were first announced on April 18.

Wipro’s study of 90 firms with 2,500 devices, with both Windows and OSS systems in place, found a number of interesting points. First, that the costs of patching either type of system were roughly comparable. Windows was slightly less expensive on the client side by an average of 14 percent, and 13 percent on the non-database server side.

The study also found patching Windows was less labor-intensive, 40 percent lower on the client side and 29 percent less on the non-database service side. The results for database servers showed Windows was a third of the cost of OSS to patch and less than half as labor-intensive.

One particular point jumps out from the study results: high-level and critical vulnerabilities are at risk longer on OSS client systems than on Windows systems.

Considering the speed at which OSS projects typically get patched, compared with Microsoft’s once-a-month patch update except in extremis, an observer would likely think the opposite would be true.

But organizations took half the time to address high-level and critical issues on Windows clients than they did on OSS. Organizations took nearly the same amount of time patching non-databasae servers and database servers with all levels of patches, though.

Wipro’s study brings forth three points to benefit an organization.

  1. Centralize IT operations
  2. Standardize on one or two at most operating systems
  3. Adopt a patch management system

In the study, Wipro contends that even though more Windows systems needed to be patched in its respondent firms, it costs less per system to patch than each OSS system. This applies even with the frequently higher number of patches distributed by Microsoft.

From purely a patch management perspective, it appears that OSS has caught up to the point where best practices by an enterprise make it as secure as Windows can be when faced with a patchable threat. And the average total cost of management tools for Windows is nearly 80 percent higher than for OSS.

But with a greater ratio of Windows systems in the study, the cost per Windows system comes down significantly. This also applied to the ongoing costs of managing the two different systems; overall OSS costs were lower, and per-system Windows costs were lower.

The study definitely finds enterprises will experience more effective cost controls when they implement best practices. And those practices can be adopted just as well with OSS systems as it can be with Windows systems.

David Utter is a staff writer for WebProNews covering technology and business. Email him here.