I am extremely excited to announce that Rich Mogull and I believe we are ready to publish two key deliverables for Project Quant today and make them available for download.
I describe the other one, “Measuring and Optimizing Patch Management: an Open Model”, in another post.
Below is an excerpt from the survery summary and analysis and you can download the full report at http://securosis.com/research/publication/project-quant-survey-results-and-analysis/.
As part of the Project Quant community effort to develop a well-defined patch management cost model, the project team fielded a survey of patch management questions covering aspects of the patch management process. While we believe this survey, due to self-selective participation, is biased towards companies with active patch management efforts, the results were informative in that context. Key findings from the survey include:
- Most companies were driven by compliance regulation, usually more than one regulation applied
- Process maturity was generally high for operating systems, but low for other asset types such as applications and drivers (see chart)
- Companies tend to utilize multiple vendor and 3rd-party tools in their patch management process
- 40% of companies depend on user complaints as one factor for patch validation
Combining these Results with Security Trends
I am also a contributor for the Microsoft Security Intelligence Report, where I look at vulnerability trends across the industry. One of the trends we’ve observed over the past several periods is that vulnerability research, as well as malicious attack trends, seem to be increasingly focused on non-OS software – applications, drivers and so on. Combining this trend with the Project Quant survey findings, we have:
- increasing risk in non-OS software such as applications
- lower patch management maturity for non-OS software
These two finding together identify an clear call to action for administrators to review their patch management processes for ways to increase their ability to manage software assets beyond workstations and general servers.
Download the full report at http://securosis.com/research/publication/project-quant-survey-results-and-analysis/.
Regards ~ Jeff