The problems of patching are enormous. Let’s say a vendor discovers a vulnerability in their software and releases a patch to prevent a potential exploit. So why don’t we all rush to patch our servers?
1. The patch needs to be tested in case it accidentally damages another application or service on the server. Testing can take weeks
2. If a patch is having an adverse effect on other server applications, then a new patch will need to be created. New patch creation can take weeks.
3. Some critical servers need to be up 24 x 7 which means that a patch requiring a reboot will need to be scheduled into maintenance. Depending on what processes are required, this can take weeks.
4. You need to be constantly vigil for the patches. You just have to miss one patch and your servers will be compromised.
The above are only a few of the reasons You can see that by the time all testing and backup has completed any exploits will have had time to infect your systems.
Some solutions to this problem include using:-
• virtual servers and
• removing all un-necessary software
• only running one critical application per server.