IT has come up with all kinds of ways to protect assets without applying patches. Yes, patching takes time if done correctly. However, the solutions have issues that need to be kept in mind.
1) Don’t patch, as everyone knows patching is risky and can kill an application/server.
This tends to be the excuse of businesses that don’t have a test system for that absolutely critical application/server. Which is riskier, not having a test system or not patching a critical system? Not having a test system to test patches or changes is a bigger problem than not patching–it means that non-patch fixes are applied in production and without testing.
So what do you do if you HAVE a test system and you found that the patch does break things? Try one of the other options (however, I’ve found many admins and DBAs hide behind patch FUD and don’t go any further–it’s just an excuse).
2) Put an application firewall in front of it.
That’s like putting a good fence around your house and leaving your windows open. The fence had better be really, really good. The other issue is that you haven’t put the security (patch) as close to the data (application/server) as possible.
Also, an application firewall can’t block everything, only known threats or classes of threats (behaviors) that have already been identified. (I like to say that loosely speaking, firewalls are kind of like auditors–they block (audit) the same as they did last year until you tell them something different.)
Finally, application firewalls can be hard to configure and tune. Sometimes patching is faster :)
3) Disable the service or application code with the problem so it cannot be compromised.
That works until some other admin who’s not aware of the “fix” turns it back on. Or as I discovered during an audit last year, another application/script/etc. that is run on the box to do an upgrade turns it back on, and the admin doesn’t turn it back off.
I’m not saying that application firewalls or disabling services aren’t helpful–they are–I’m just saying that the risk of the “fix” needs to be fully understood and accepted, but only after a careful analysis has revealed that patching is NOT the best solution, or the most cost-effective solution NOW.
Too often the dangers of the alternative safeguards are not researched and monitored to ensure the “fences” stay in place. Also, the alternatives are sometimes meant to be temporary and end up being permanent.
Until the alarm sounds.