Respectfully, that's not what he said, MG (about Code Red).

I'm sure you and your staff are plenty competant about keeping things up to date and secure, and you should take some pride in that. But your and your staff don't do it for your health. It takes time and money to do these things. If you are really going to press the business point (as you should), then think of how much money it costs in labor and time to apply each patch (including reading about it, downloading, installing it, testing it, etc.). Even at a couple hundred bucks a pop, it starts to add up. Then ask yourself if it is really a cost-conscious endeavor to constantly apply patches at that kind of expense. It may be cost effective to you, but every Fortune 100 company I've ever come across tries to limit the deployment of IIS to as few machines as possible (or simply don't allow it) for that very reason of expense and stability. Admittedly, I've only seen a couple dozen or so, but there is a definite pattern.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/74/12002#12002