Reducing internet-based intrusions: Effective security patch management

IEEE Software

Volumn 20, Issue 1, 2003, Pages 50-57

  Brykczynski, Bill ^a   Small, Robert A ^a  

^a T VEC Technologies   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER SOFTWARE; INFORMATION TECHNOLOGY; SECURITY OF DATA; STANDARDS;

INTERNET-BASED INTRUSIONS; SECURITY PATCH MANAGEMENT;

INTERNET;

EID: 0037244529     PISSN: 07407459     EISSN: None     Source Type: Journal    
DOI: 10.1109/MS.2003.1159029     Document Type: Article

References (18)

1. B. Brykczynski and B. Small, Establishing and Measuring Information Security Policy Conformance, SPC-2001054-CMC, Software Productivity Consortium, Herndon, Va., Jan. 2002; www.software.org/catalog/products/product.asp?pfid=385.
2. B. Brykczynski and B. Small, Improving the Security Patch Management Process, SPC-2002015-CMC, Software Productivity Consortium, Herndon, Va., June 2002; www.software.org/catalog/products/product.asp?pfid=410.
3. The National Strategy to Secure Cyberspace (draft), President's Critical Infrastructure Protection Board, Washington, D.C., Sept. 2002; www.whitehouse.gov/pcipb.
4. J.C. Perez, "Gartner: Most IT Security Problems Self-Inflicted," Computerworld, 9 Oct. 2001. www.computerworld.com/securitytopics/security/story/0,10801,64605,00.html.
5. W. Arbaugh, W. Fithen, and J. McHugh, "Windows of Vulnerability: A Case Study Analysis," Computer, vol. 33, no. 12, Dec. 2000, pp. 52-59.
6. Keep Operating Systems and Applications Software Up to Date, CERT Coordination Center, Software Eng. Inst., Carnegie Mellon Univ., Pittsburgh, 2001, www.cert.org/security-improvement/practices/p067.html.
7. "CERT/CC Statistics 1988-2002," CERT Coordination Center, Software Eng. Inst., Carnegie Mellon Univ., Pittsburgh, 2002, www.cert.org/stats/#vulnerabilities.
8. B. Schneier, "Closing the Window of Exposure," Counterpane Internet Security, Cupertino, Calif., 2002, www.counterpane.com/window.html.
9. S. Beattie et. al., "Timing the Application of Security Patches for Optimal Uptime," Proc. 16th Ann. USENIX Systems Administration Conf. (LISA 02), USENIX Assoc., Berkeley, Calif., 2002; www.nxnw.org/~steve/papers/lisa2002-time-to-patch.pdf.
10. Code of Practice for Information Security Management, ISO/IEC 17799:2000, Int'l Organization for Standardization, Geneva, Dec. 2000.
11. P. Mell and M. Tracy, Procedures for Handling Security Patches-Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-40, Nat'l Inst. of Standards and Technology, Gaithersburg, Md., Aug. 2002.
12. E. Messmer, "GSA to Keep Vigilant with Patch-Notification Service," Network World, 2 Dec. 2002, www.nwfusion.com/news/2002/1202fedcirc.html.
13. A. Berg, "Feeling Vulnerable?" Information Security, Feb. 2002, pp. 42-52; www.infosecuritymag.com/2002/feb/features_vulnerable.shtml.
14. S. Sidel and A. Briney, "Patching across the Enterprise," Information Security, Feb. 2002, pp. 48-49; www.infosecuritymag.com/2002/feb/features_sidebar1.shtml.
15. R. Martin, "Managing Vulnerabilities in Networked Systems," Computer, vol. 34, no. 11, Nov. 2001, pp. 32-38.
16. R.S. Kaplan and D.P. Norton, The Balanced Scorecard: Translating Strategy into Action, Harvard Business School Press, Cambridge, Mass., 1996.
17. D.A. Wheeler, Secure Programming for Linux and Unix HOWTO, 2002, www.dwheeler.com/secure-programs.
18. J. Viega and G. McGraw, Building Secure Software, Addison-Wesley, Boston, 2002.