The issue of when to patch has been long debated. The security administrator must decide between releasing a patch immediately to fix a vulnerability or delaying it to make sure the patch does not leave a vulnerability or create a new one. As time passes, the system administrator increasingly risks the chance that a black hat exploits the vulnerability and affects the users.
Calculations
Many studies have been performed for finding the optimal time for applying the patch. The studies reveal that the most optimal time is when the cost of the risk and outcome of the vulnerability and the patch is intersecting. This study finds that the cost of a patch being exposed and exploited increases, as the time to patch increases. Meanwhile, the cost of applying a patch decreases with time because a longer time taken to create a patch lessens the chance of bringing in a new vulnerability. Thus, the optimal solution lies in the intersection of the two costs.
The same notion can be aptly iterated in science fiction writer Robert Heinlein's words: "Never do today what you can put off till tomorrow, if tomorrow might improve the odds." The notion translates well to a method.
Businesses can calculate the costs of each option and then determine their solution. A good understanding of the costs of the business is required, such as the cost of applying the patch, the cost of the breach, and the cost of recovering from a faulty patch. The chances (probability) of a security breach occurring and the creation of a faulty code need to be estimated also.
Other Options
Microsoft 
follows a routine called Patch Tuesday. Every second Tuesday of the month, it releases security updates. It also releases patches for other software along with the security updates. On the downside of this concept, even if a vulnerability is found earlier and the patch is created, the company waits for Patch Tuesday to apply it, leaving the vulnerability open for a long time.
Other than using fixed intervals to apply patches, businesses may choose to apply the patch as they are ready. In general, it is a safe practice to accept patches automatically when the patch is released. Ultimately, the business decides which procedure is the most beneficial and reduces costs.
References
- Timing the Application of Security Patches for Optimal Uptime (Beattie, Arnold, Cowan, Wagle, and Wright, Usenix.org)
Share your comments, feedback or questions about this article and other topics. Go to our blog or our Facebook group .
Print view
Email to a friend
Submit to Reddit
Save to del.icio.us
Submit to Digg.com
Stumble It!