Patching. Why it doesn’t happen.

The lines of amber on black monospace tick slowly up the screen. Each line looks give or take the same. Destination. Size. Time. Tick. Tick. Tick. ICMP packets stop going up the screen - the host is restarting, and her attention is drawn away to something else while the inevitable boot sequence is negotiated. POST, Lifecycle management, Drives, stuff ... we have come so far yet it takes longer to bring the hardware on line than it does to boot the OS. Priority.

On checking back - nothing. No, surely. "This should be up by now?"

That hollow feeling inside spreads, and they are off to put a KVM on the machine.


This could be an issue for anything anywhere - however the question is going to be asked... did anything change? What?

Having just read the WannaCry - Why we did not patch over on the Register - it is all too familiar.

Increasingly as security becomes more and more of a glaring obviously poo-in-a-swimming-pool the pressure is also on for service delivery, lack of interruption, level playing field.

To find out that a new point release of a Kernel means that the bundled JVM while working, doesn't work as advertised and the vendor is throwing its hands in the air saying "well we do not support that"... roll back, roll back now... when they finally figure out that is the issue that is #trustory #r1soft . You find yourself choosing between kernel patching or backups for an estate of servers. Bad, BAD place to be.

It's easy enough to make a choice when you are an individual, or a group, or something like that. Simple. Off over insecure. Easy. However throw in shareholders and customers and suddenly the water gets muddy very quickly indeed.

When you start to get like that its just a matter of time until legacy systems starts to become a very real pain. Less of a thorn in your side, less of a worry, more of your very own house-of-cards.

You can hear the rock and the hard place - the Exec. meeting with a red faced CEO shouting and clearly unable to be placated with mere facts  "WHY WAS THIS PLATFORM DOWN?!" / "WHY WAS THIS NOT PATCHED?!" *delete as applicable. ...think of the city, the shareholders... "I WANT HEADS ON STICKS. BLUNT ONES. GIVE ME NAMES."

"Three: Picky Any Two" comes to mind. Stability. Security. Transparency. Shareholders ... oh no... that's four.

Are those the balm like dulcet tones of Rami Malek I hear narrating my life and generally soothing my soul?

Should I be worried about that?

As the thumb screws are repeatedly applied - no one wants to patch. No one wants that on them. They know it's right - but they just cannot afford that. They want to go home at a reasonable time, and not dread what the next day brings. It's not a hard choice. Even if you know it's wrong.

Lack of Patching. It is a gateway drug to Legacy Systems as a liability.

We. Collectively. Are doomed.

Leave a Reply

Your email address will not be published. Required fields are marked *