Shostack + Friends Blog Archive

Project Quant: Patch Management Metrics

Rich Mogull, Adrian Lane, (of Securosis) and Jeff Jones (of Microsoft) have started a “transparent” metrics project “to help build an independent model to measure the costs and effectiveness of patch management.”  They’re calling it (for now) Project Quant.  As you can probably guess, I’m all for transparent metrics projects, and I hope you’ll at least follow this, if not contribute.

What’s even more interesting news to me are two surprises that came with this announcement.  One –  I am somewhat pleasantly surprised Rich is going as far as to talk about modeling – good on him.  In large enterprises measuring things like coverage and effectiveness are gonna be probabilistic (if you’ve got a 50,000 machine patch-management program already, back me up on this).

Two – another surprise is that the announcement of this project on the securitymetrics.org mailing list has lead to a discussion as to whether

• A patching metric project is worth it
• If patching is worth it

The second bullet there seems pretty “flat earth” to me.  It seems like it’s proponent believes that IT MacGyvers out there can ignore patching and create system integrity using duct tape, chewing gum, and old pepsi can and SSL – and claim it will be more economically effective. Sounds crazy, right? I mean, either they’re completely nuts, or we’re all doing it wrong.  Needless to say this has created a somewhat long thread in my gmail.

Now, what’s interesting is that the fact that I have this long thread, to me, is evidence that the project itself has merit (validating bullet one, there).  If there’s that much to say about the subject in deductive theory (because obviously the IT MacGyver types don’t have strong inductive evidence to prove their point) then Project Quant is off to a good start.

God Speed, Rich, Adrian, and Jeff.  And if you fail, there’s always….

Originally published by alex on 17 Apr 2009
Last modified on 17 Apr 2009
Categories:   Uncategorized