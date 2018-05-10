26% of Companies Ignore Security Bugs Because They Don't Have the Time to Fix Them (bleepingcomputer.com) 28
Catalin Cimpanu, writing for BleepingComputer: A survey compiled last month at the RSA security conference reveals that most companies are still behind with proper security practices, and some of them even intentionally ignore security flaws for various reasons ranging from lack of time to lack of know-how. The survey, which compiled answers from 155 security professionals from the companies present at the RSA conference, revealed that only 47% of organizations patch vulnerabilities as soon as they are known. Most worrisome is that some companies wait quite some time before applying patches, exposing their IT infrastructure to attacks. More precisely, 16% wait for one month, while 8% said they only apply patches once or twice a year.
It's not time, it's money... (Score:5, Insightful)
It's not that I don't have enough time, I do.
It's that the powers at be only want to spend time on something if a client pays for it.
Re: (Score:2)
You work for free?
Re: (Score:2)
If you're a plumber and you hear the house two doors down, whose pipes you installed 4 years ago during the construction of the house, has a leak. You aren't going to go and fix it for free, are you?
I don't know what kind of regulation could facilitate good business and secure products. The more secure you make something, usually the more it will cost the client (even with security-first orientated programming).
Re: (Score:2)
Re:It's not time, it's money... (Score:4, Insightful)
well, it IS time. but time IS money. so, yeah, kinda.
Pinheads that only how how to count beans and don't understand the problem are asking each other "Is it important? How much does it cost? What's the return on investment?"
They don't see the risk or the cost of losing on the risk. They only see the cost of the fix, and that looks like a very poor ROI, and it gets shot down, or continuously delayed.
Re: (Score:2)
And this is limited isn't limited to contracting situations (where you typically hear the word "client"). I have seen this in companies that sell products on the open market, to whole industries. The company takes the approach that development schedules are dictated by what features customers say they want. Since the customer doesn't know the security problem exists they can't say "I want this fixed". It is therefore not a priority.
Re: (Score:2)
Yeah, that didn't exactly work out well for the early adopters of the Spectre and Meltdown fixes. Not only were they initially buggy as well, but they didn't even fix all of the security flaws.
Like it or not, it's usually best to wait a day or two for someone else to be the guinea pig for security patches before putting them into Production, unless the issue is actively being exploited by a virus or a worm.
Then 26% should be sued (Score:2)
Like Windows XP in China. (Score:1)
Nobody should (Score:2)
Nobody with any experience installs a patch immediately when its released if they aren't forced to. It only takes one time borking your entire network/domain by being the unwitting beta tester to learn that lesson.
In related news (Score:3)
depth of defense (Score:2)
Correct security is about depth of defense. If you -have- to patch immediately every time then you've already failed.
Take your time. Do it right. If you understand your security posture and have designed it well, patching once or twice a year may well be sufficient.