Who would have thought that a day would come when there are far more companies
selling ways to patch PC operating systems than there are companies selling
PC operating systems?
That’s where we find ourselves now. The Microsoft Corp.’s Windows
operating system ships on more than
93 percent of PCs worldwide, according to a report by
market-research firm IDC.
Meanwhile, there are at least 21 major players in the business of providing
patch-management software that simplifies the maddening task of applying the
scores of fixes that come out each year for Windows, Microsoft Office and
other programs, according to a recent
buyer’s guide by Jeff Fellinge in Windows IT Pro magazine.
I don’t know whether having so many companies in this space is a good thing
or a bad thing, but one thing’s for sure — it’s a whole ‘nother layer
of software that IT managers didn’t have to grapple with just a few years ago.
Live And Let Die
There’s so much ferment in solutions for patch management that John Dix,
the editor of Network World, a weekly tech magazine, recently
challenged all the vendors to a “virtual showdown”
— an online debate beginning Nov. 15 on how best to patch. In his
announcement, Dix implied that there would soon have to be a consolidation
of the major providers, who now come in three configurations:
Can all of these players continue to innovate without some of them falling
by the wayside? Dix declined to comment for this article.
Don’t Get Out The Embalming Fluid Yet
One of the standalone patch-management vendors makes a strong case that the
specialized firms will have a continuing role for a long, long time.
“There are a handful of standalone patch-management companies: Shavlik,
Patchlink, Big Fix,
St. Bernard,” says
Eric Schultze, the chief security architect of Shavlik Technologies. “Any of
the other vendors use one of those five companies’ technology,” he notes,
citing Configuresoft as an exception that has built its own solution.
Patch-management software, in this view, is a product that you can either buy
from its original developer or from a major-label software publisher with only
“We’ve decided that we want to be the ‘Intel Inside’ of the patch-management
market,” Schultze explains. “We have technology that’s used by Symantec,
BMC Software through its
Marimba acquisition, iPass,
Software, and in some sense Microsoft. The Microsoft
Management Server 2.0 and SMS 2003, its patch-management detection engine,
is an older version of the Shavlik engine.” Symantec obtained a relationship
with Shavlik through the larger corporation’s February 2004 acquisition of On
Technology, which had previously signed a deal with Shavlik.
In addition to business opportunies for the specialized firms to provide
technology to the larger, more established companies, there are plenty of new
challenges that IT leaders will need help to confront, Schultze says. Shavlik
itself is moving into “spyware management,” for example.
Spokespersons for McAfee and Symantec did not provide company executives for
comment on this subject by press time.
Nailing Down The Patch-Management Market
Others also see plenty of openings for players of all sizes.
“Patch management software for Windows is still in its infancy, really.
Microsoft is still working out the kinks in providing companies with
reliable patches in a consistent format,” says Fellinge, the author of the
patch-management buyers’ guide.
“Patch management software must do three things right: deploy patches reliably,
scan systems accurately, and provide solid reports of enterprise patch status,”
he explains. “I think that in the short term there is room for small and large
vendors — but those companies that get these three points at a reasonable
price will nail the market.”
We may question why we have to install multiple security upgrades every month
— but the reality is that this is going to continue to be a fact of life,
now that hackers around the world have learned how easy it is to exploit holes
in Windows and other software.
Simply setting Microsoft’s “Windows Update” program on automatic and letting it
do its thing is a poor defense for most companies. Major enterprises
must test all new patches before deploying them. And even small businesses
must use separate, nonautomatic systems to update non-OS software, such as
Microsoft Office, which has its own upgrade procedure.
The need to handle all these application changes is so great that most of the
patch-management vendors seem likely to stick around for the duration —
whether their code retains its original name or takes on the logo of a more
famous software publisher.