Timing the Application of Security Patches for Optimal Uptime

[Crispin Cowan <crispin () wirex com>]

This paper has been published at the USENIX LISA 2002 conference
<http://www.usenix.org/events/lisa02/>, and is available for download
here <http://wirex.com/%7Ecrispin/time-to-patch-usenix-lisa02.ps.gz>.

        Timing the Application of Security Patches for Optimal Uptime

Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright
           WireX Communications, Inc.  http://wirex.com
                                     and
                               Adam Shostack
                Informed Security  http://www.informedsecurity.com

    Security vulnerabilities are discovered, become publicly known, get
    exploited by attackers, and patches come out.  When should one apply
    security patches?  Patch too soon, and you may suffer from
    instability induced by bugs in the patches.  Patch too late, and you
    get hacked by attackers exploiting the vulnerability.  We explore
    the factors affecting when it is best to apply security patches,
    providing both mathematical models of the factors affecting when to
    patch, and collecting empirical data to give the model practical
    value. We conclude with a model that we hope will help provide a
    formal foundation for when the practitioner should apply security
    updates.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
                            Just say ".Nyet"