Does Vendors Fix Philosophies Match Yours?

Opinion: Along with an application's cost, IT managers should look at the vendor's approach to fixing problems.

Finally the long winter is over, and our thoughts turn to warm-weather pursuits. Some people will plan beach vacations, while others will turn to hiking, fishing and other outdoor activities.

Me? Im planning that truly American experience of going to a big amusement park. But which one? The quality of rides and the cost are important considerations, but probably the biggest factor is the safety record of the park.

Ive narrowed it down to two choices: the world-famous Jim World and the ubiquitous Great Rapoza Experience. Both parks have had about the same number of potential problems that require equipment maintenance, repairs or even outright redesigns. But both handle these problems differently.

The Great Rapoza Experience typically announces every major or minor problem that it finds and rushes to fix it almost immediately. This has earned the park lots of good will in the hard-core ride enthusiast community. However, it also tends to lead to negative coverage in the press, which harps on the problems rather than on the fact that they were quickly fixed.

Jim World, on the other hand, keeps as quiet as possible about most problems and fixes to problems. When there is a major issue, Jim World usually fixes it in good time, but the park also sits on many smaller problems and then quietly fixes them in quarterly park redesigns.

Now that I think about it, these same factors can be found in the software world, and software buyers need to make similar decisions when purchasing applications.

In last weeks column, I argued that software vendors should work with researchers who look for software vulnerabilities and that vendors should be open about the discovered problems. But when one looks at the many commercial and open-source software vendors out there, it is easy to see that there are many levels and definitions of openness.

Some choose to address every single problem as it comes to light, an approach that is typical of—but not found solely in—open-source products. Others fix critical problems immediately but sit on smaller problems and fix them in big updates or service packs.

Much of the discussion about these approaches tends to focus on the political issues. Vendor A might say that Vendor Bs products are insecure because Vendor B issues multiple fixes. Vendor B might then turn around and say that the single service pack Vendor A issued actually fixed 50 problems that people were exposed to in the months prior to the service packs release.

But theres really no right answer when it comes to issuing software fixes. Open-source organizations often sit on smaller bugs for months and address them in a .0x release that is essentially a service pack. And commercial vendors will sometimes quickly address less-critical bugs that are affecting many users.

For IT administrators, the political back and forth is much less important than which patching approach best fits their organizations security practices and system management procedures.

With the "fix everything quickly" approach, the administrator benefits from knowing about a problem right away and promptly getting a fix. On the other hand, being put in a position of constantly having to decide which fixes need to be tested and deployed can add a sometimes-unmanageable load onto administrators backs.

With the "fix most small problems in a big service pack" approach, administrators need only test a single big patch once, which can make deployment a lot easier. However, administrators may also have wasted months dealing with a problem whose fix was being saved for a service pack.

So when looking at security as a deciding factor in choosing an application, you may want to focus less on the raw numbers and more on how the vendor or developer approaches bug and security fixes.

As for my amusement park choice, all the data is pretty close, so Im going to have to go with what is by far the most influential factor for most people (and businesses): Im going to go with the amusement park that offers the biggest discount coupons.

Labs Director Jim Rapoza can be reached at

To read more Jim Rapoza, subscribe to eWEEK magazine.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.