That's where we find ourselves now. The Microsoft Corp.'s Windows operating system ships on more than 93 percent of PCs worldwide, according to a report by market-research firm IDC.
Meanwhile, there are at least 21 major players in the business of providing patch-management software that simplifies the maddening task of applying the scores of fixes that come out each year for Windows, Microsoft Office and other programs, according to a recent buyer's guide by Jeff Fellinge in Windows IT Pro magazine.
I don't know whether having so many companies in this space is a good thing or a bad thing, but one thing's for sure — it's a whole 'nother layer of software that IT managers didn't have to grapple with just a few years ago.
Live And Let Die
There's so much ferment in solutions for patch management that John Dix, the editor of Network World, a weekly tech magazine, recently challenged all the vendors to a "virtual showdown" — an online debate beginning Nov. 15 on how best to patch. In his announcement, Dix implied that there would soon have to be a consolidation of the major providers, who now come in three configurations:
Can all of these players continue to innovate without some of them falling by the wayside? Dix declined to comment for this article.
Don't Get Out The Embalming Fluid Yet
One of the standalone patch-management vendors makes a strong case that the specialized firms will have a continuing role for a long, long time.
"There are a handful of standalone patch-management companies: Shavlik, Patchlink, Big Fix, Ecora, St. Bernard," says Eric Schultze, the chief security architect of Shavlik Technologies. "Any of the other vendors use one of those five companies' technology," he notes, citing Configuresoft as an exception that has built its own solution.
Patch-management software, in this view, is a product that you can either buy from its original developer or from a major-label software publisher with only cosmetic differences.
"We've decided that we want to be the 'Intel Inside' of the patch-management market," Schultze explains. "We have technology that's used by Symantec, BMC Software through its Marimba acquisition, iPass, Bindview, NetIQ, Executive Software, and in some sense Microsoft. The Microsoft Systems Management Server 2.0 and SMS 2003, its patch-management detection engine, is an older version of the Shavlik engine." Symantec obtained a relationship with Shavlik through the larger corporation's February 2004 acquisition of On Technology, which had previously signed a deal with Shavlik.
In addition to business opportunies for the specialized firms to provide technology to the larger, more established companies, there are plenty of new challenges that IT leaders will need help to confront, Schultze says. Shavlik itself is moving into "spyware management," for example.
Spokespersons for McAfee and Symantec did not provide company executives for comment on this subject by press time.
Nailing Down The Patch-Management Market
Others also see plenty of openings for players of all sizes. "Patch management software for Windows is still in its infancy, really. Microsoft is still working out the kinks in providing companies with reliable patches in a consistent format," says Fellinge, the author of the patch-management buyers' guide.
"Patch management software must do three things right: deploy patches reliably, scan systems accurately, and provide solid reports of enterprise patch status," he explains. "I think that in the short term there is room for small and large vendors — but those companies that get these three points at a reasonable price will nail the market."
We may question why we have to install multiple security upgrades every month — but the reality is that this is going to continue to be a fact of life, now that hackers around the world have learned how easy it is to exploit holes in Windows and other software.
Simply setting Microsoft's "Windows Update" program on automatic and letting it do its thing is a poor defense for most companies. Major enterprises must test all new patches before deploying them. And even small businesses must use separate, nonautomatic systems to update non-OS software, such as Microsoft Office, which has its own upgrade procedure.
The need to handle all these application changes is so great that most of the patch-management vendors seem likely to stick around for the duration — whether their code retains its original name or takes on the logo of a more famous software publisher.