Friday, May 22, 2020

On "Patching" II

The tolerance of the IT community for poor software quality seems infinite.  The "quality" strategy of major software vendors is to push the cost of quality onto the customers.  The more customers they have the greater the cost.  Instead of "doing it right the first time," the vendors push out late patches.  From the rate at which they push out patches one may Infer that there is a reservoir of vulnerabilities.  Their customers have had to allocate resources and organize them around "patching."  They are almost grateful for the fixes.  

The market, the collective of buyers, prefers systems that are open, general, flexible, and that have a deceptively low price.  The real cost includes the cost of perpetual patching, the unknown cost of accepting the unknown risk of all the vulnerabilities in the reservoir, along with the risk of an unnecessarily large and public attack surface.  

We do not even measure the cost of their poor quality.  

We should be confronting the vendors with this hidden cost.  We should be comparing them on it.