Argh, dammit, I can’t tell you. But the imaginary conversation goes like this.
Me: “Hi security company, I see that you have an enterprise grade security product that my client has put at the heart of their enterprise?”
Dumb Security Company (DSC) “Yes, can I tell you about it, its great – it has elements that …”
Me: “No, no, please stop. Anyway, the client tells me that your security products runs on Windows”
DSC: “Yes, that’s right we have a strategic relationship with Mi…”
Me: “Woah, thanks, got that, so my client needs to apply patches to the server that you run your product on?”
DSC: “Very good, patching is an important cyb….”
Me : “Gonna have to stop you again. But in this case your support people have told their support people that they must not install the critical OS patches or bad things might happen?”
DSC: “So stability is of para….”
Me: “Easy there tiger. So just to calibrate my BS detectors – You produce an enterprise grade security product that runs on a version of windows that you insist cannot be patched – in this case for more than a year?”
DSC: “…”
Me: “You, a SECURITY company make a SECURITY PRODUCT and then insist that the platform is NEVER PATCHED?
DSC: “…”
Me: “Do you KNOW how many critical issues there are for the platform that your system runs on?”
DSC: “…”
Me “Great, nice talking to you”.
And the lesson of the day is that just because patching is hard does not mean that it does not need to be done. Yes, you will need to regression test your product. Get on with it. Make fixes not excuses.