Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Software Patches Eat Government IT's Lunch
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
9/17/2013 | 12:50:08 PM
re: Software Patches Eat Government IT's Lunch
There's an interesting story and commentary on the importance of, and the balance between, software developers who crank out code and product managers who are responsible for the customer experience. See "Why your software development process is broken" at: http://www.informationweek.com...
WKash
50%
50%
WKash,
User Rank: Apprentice
9/17/2013 | 12:38:19 PM
re: Software Patches Eat Government IT's Lunch
This misses the point of what the Marine Corps and other large scale organizations are facing. First, the Marine Corps can't just software A and switch to software B because software A is costing more to update/fix. Second, we're talking about high costs because of the large number of users and devices that exist. The Marine Corps works with the US Navy. Together they have more than 800,000 users on the network. Simple bug fixes and version updates may not be a big deal for an organization of 1000 workers. It's a much different and more expensive matter for large organizations.
blowenth
50%
50%
blowenth,
User Rank: Apprentice
9/7/2013 | 3:04:49 PM
re: Software Patches Eat Government IT's Lunch
I find it interesting when people complain that they are losing
money as a result of applying software fixes.



The simple answer for organizations that are losing money applying
software fixes is for the organizations to discontinue using the
software. Then they would they recover those "losses" -- right?



But, of course, they will nearly always "lose" even more money if
they discontinue using the software. Adoption of nearly all
business software products results in cost reduction of
actions that can already be performed. There is often very quick
adoption of new products that provide significant cost reductions
because the people that purchase the products can get their money
back in less than a year and then go on to get significant cost
reductions year over year. However, people still gripe because
they don't save even more because of product defects.



For example, Larry Ellison of Oracle said that Oracle saved a Billion dollars a year when it
adopted Internet technology products for HR and other internal processes. -- I believe
it. Now Oracle could have saved even more that a Billion dollars
if there were no product defects. Lets suppose Oracle saved
$1,000,000,000 but if there were no product defects they would have
saved $1,010,000,000. Now Larry could say that Oracle lost
$10,000,000 by adoption of Internet technology products --- and it
would be true using the logic of the per "Software Patches Eat
Government IT's Lunch" story.



Software, unlike almost all other products, is peculiar because
customers pay to get fixes to defects in delivered products. Why
is this? Why do customers purchase such products and then have to
pay to have design defects repaired. Lets consider to companies
building the same type of software products.


Lets say Company A gets the product out in 2010 where it is
purchased by the Bank of America. Lets stay that Company A's
product has many software defects costing BoA $10,000,000 during
the next two years. Lets say Bank of America, saves
$500,000,000 per year because of the adoption.

Lets say Company B gets the product out in 2012 at the same
price as Company A and because of the extra two years of
testing, software defects cost $0 per year and the Bank of
America starts saving $500,000,000 per year at that point.
What's the better deal for the Bank of America?

Did Bank of America lose $10,000,000 by adopting Company A's
product or did it lose $990,000,000 by waiting to adopt Company
B's bug free product?



Of course there are tradeoffs here. If the products have too many
bugs then they become unfit for use. But competition typically
sorts this out.



Anyway, the bottom line here is that when you hear about
organizations losing money because of the cost of applying fixes for
software defects, its probably not the case that the organization
lost money by adopting the use of that software. They just want to save even more -- and that is good. However, sometimes it's
good to remind people to consider all the costs and benefits.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/5/2013 | 6:58:06 PM
re: Software Patches Eat Government IT's Lunch
Government gets a lot criticism for its bureaucratic ways, but it does offer a template, courtesy of the National Institute of Standards and Technology, for how software code can be certified to meet certain operating standards. Enterprises would be better served if there were standards software developers could agree to that, as you say, using an automated process, would give software the equivalent of a clean bill of health. That won't address the need for updates, as you say, but it would give customers more confidence in what they're buying. And that hopefully would led to marketplace choices that would reward the more responsible developers.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
9/5/2013 | 5:04:24 PM
re: Software Patches Eat Government IT's Lunch
A bug is anything that negatively impacts user experience. That means it does not need to be a coding error. The code can be all well, but if using the application is so complicated that it will lead to many mistakes the software is buggy and needs fixing.
A big problem these days are indeed the ridiculously short times to market as well as the 'agile' methods that reward not committing to anything, no planning, no documentation, and rapid releases of something. I think we all would better served by spending a few months up front to design applications and make up our minds as to what we really want, then build that. Sure, flexibility is always needed as some aspects come up while doing the development work, but it just doesn't pan out when doing everything on the fly.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/4/2013 | 9:07:41 PM
re: Software Patches Eat Government IT's Lunch
Would be interesting to see those reports Jack cites indicating that 25% of hospital operating room liability
lawsuits are now tied to software coding problems.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
9/4/2013 | 2:40:33 PM
re: Software Patches Eat Government IT's Lunch
Excellent analysis. Patches have always been painful, and seem to be getting more so. The "goods vs. service" distinction is a factor those choosing between SaaS and COTS should consider.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
9/3/2013 | 7:30:47 PM
re: Software Patches Eat Government IT's Lunch
Software patches are often updates, not bugs in the sense of poor code needing corrections, to bring an application into line with updates elsewhere in itself or to keep it compatible with a wider set of software. We need to get to the point where software is built in such a standard fashion that updating it is a standard, and automated, process. This is where cloud vendors start to draw away in terms of efficiency from the one-of-everything enterprise data center.


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2916
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
CVE-2019-12757
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
CVE-2019-12758
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
CVE-2019-12759
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
CVE-2019-18372
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.