I am pleased today to announce a project that I have been working to get going for a little while – Project Quant – an open model/method development project being done in conjunction with Rich Mogull of Securosis with the goal of developing a cost model for patch management response that accurately reflects the financial and resource costs associated with the process of evaluating and deploying software updates (patch management).
For me, this is a convergence of two passions that I have in my job and the work I do:
- Helping establish objective metrics for security, and
- Providing tools that are useful to customers
I’ve spoken with a lot of Microsoft customers and found that within the IT departments, they have a strong desire for metrics that help them drive their day-to-day business. Many of my past analyses and reports were developed with this in mind, but they tend towards the technical and less towards the business aspects of security. If we know two software companies both fixed 50 vulnerabilities last year, while that might tell us something about the software, that doesn’t tell us about how it impacted different customers in terms of work required or resources.
As a small (incomplete) example, here are some things that would affect the IT departments:
- How many updates were the fixes bundled into and when were they released?
- Do the vulnerabilities affect software I have in production or not?
- What were the severity ratings and what is my policy with respect to severity ratings?
- How many people work in patch management for my company and what are their roles?
- What sort of tools do I have for deployment?
I think what is needed is a model that captures these and many other aspects of patch management policies and operational realities that is also flexible enough to model small businesses as well as very large corporations. Project Quant is an effort to get the ball rolling in that effort.
Regards ~ Jeff
Initial Project Quant news coverage:
(and a German article) Microsoft: Schnelleres Patchen mit Project Quant