Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
I am pleased today to announce a project that I have been working to get going for a little while – Project Quant – an open model/method development project being done in conjunction with Rich Mogull of Securosis with the goal of developing a cost model for patch management response that accurately reflects the financial and resource costs associated with the process of evaluating and deploying software updates (patch management).
For me, this is a convergence of two passions that I have in my job and the work I do:
I’ve spoken with a lot of Microsoft customers and found that within the IT departments, they have a strong desire for metrics that help them drive their day-to-day business. Many of my past analyses and reports were developed with this in mind, but they tend towards the technical and less towards the business aspects of security. If we know two software companies both fixed 50 vulnerabilities last year, while that might tell us something about the software, that doesn’t tell us about how it impacted different customers in terms of work required or resources.
As a small (incomplete) example, here are some things that would affect the IT departments:
I think what is needed is a model that captures these and many other aspects of patch management policies and operational realities that is also flexible enough to model small businesses as well as very large corporations. Project Quant is an effort to get the ball rolling in that effort.
Regards ~ Jeff
Initial Project Quant news coverage:
(and a German article) Microsoft: Schnelleres Patchen mit Project Quant