This article about Oracle’s quarterly patch process reflects my skepticism that a random reactive knee-jerk patching system is useful. Security professionals claim to want to have patches immediately but ultimately can’t push them through their change management process anyway.

An excerpt:

Lindstrom concurred with Oracle’s reasoning. He said Gartner is assuming that "bad guys always know more than the good guys" about software vulnerabilities, when that’s not necessarily the case.

One reaction to this might be – "but we need to plan for the worst case, don’t we?" As a matter of clarification, my point is that we shouldn’t need detailed information about specific vulnerabilities to protect ourselves if we design our security architecture well. Additionally, there are only two cases in recent history where the "bad guys" knew about vulnerabilities when the "good guys" didn’t – the WebDAV vulnerability (which was seen in one instance) and another vuln in some game software (I believe) the Summer of ’03. So, there is no need for the good guys to have the vulnerability information and the bad guys benefit from the details as everyone races to proof of concept, therefore less is more.