Mark Shavlik has over 20 years working on and around system software, including being a member of the original Windows NT development team under David Cutler. The last 13 years he has spent at the helm of his own security company, Shavlik Technologies, working in particular on patch management, including writing patching tools for Microsoft.

What concerns him most is the way that the growing complexity of IT security is outstripping the ability of IT departments to keep up with patches - yet at the same time, the bad guys are so numerous that they have little difficulty keeping up with the latest vulnerabilities.

That, he argues, is why organisations have got to automate the process of patching, as well as managing and auditing it for the purposes of regulatory compliance and risk assessment, and it's why he developed his NetChk patch management software.

"Patch management is the number one thing you need to do to keep safe. It is widely available but we can still differentiate," he says. "If you patch properly, you are immune to the problem - assuming the patch works. We do patch tests and so on."

So why not use the tools provided to you, such as Windows Update, MBSA, WSUS and the 'check for updates' option in most apps? The answer, Shavlik says, is in the question.

"You need three different tools to patch all of Microsoft's products - and we wrote all of them. Letting the user do patching is a risk because it may not get done, and you have no measurement. A lot of patches require administrator-level to install too, which I don't like.

"We're not about the end user, we think a dedicated person has to do this. It needs an expert, so we focus on the administrators.

Fighting the backlog
"The more widespread security becomes, the less skilled people will be. Every IT department has a backlog. We don't want to be one more problem for the network administrator - the security people and auditors drive our product in, but network admins that are the majority of our customers.

"We wrote the MBSA engine years ago so NetChk is a drag and drop replacement. Also it's agentless and has a scripting tool, whereas the Microsoft replacement is GUI-based and requires agents."

Increasingly, configuration management tools from the likes of Altiris and LANDesk are gaining patching capabilities, but Shavlik argues that a pure-play patch management tool can still offer advantages. For a start, he asks, can other tools patch all your apps, as well as your operating systems? And he says it's essential to make sure patches are tested and made available to you as soon as possible.

"Banking customers want patches within hours - we have to test and make sure they don't break their networks," he says. "We recently found spyware exploiting a vulnerability within days."

There are other options, of course, such as virtual patching, where attacks on known vulnerabilities are blocked at the perimeter, or vulnerability assessment tools like Skybox Assure. But Shavlik reckons that the only real solution is to apply the patches.

"Virtual patching is good for a bit of time but it's not foolproof," he says. "It's definitely a temporary solution. If you invest in a patching solution like ours, you don't need it. I'm not a fan of virtual patching - you can't prove it's working, and with patch management you can get the patch time down to around four hours."

Security spreads
He adds that an increasing amount of his company's work is supplying technology to other software companies. For example, NAC (network access control) is throwing up a growing need for tools to fix client systems once they have been scanned and found to be insecure. Among others, Shavlik Technologies developed the remediation tools for McAfee and Symantec's quarantine products, says its eponymous boss.

And the company is moving into new areas too, such as regulatory compliance and anti-spyware. Mark Shavlik says that these are all clearly related.

"We have added spyware detection to patch management - it's efficiency for your workforce, especially as spyware now looks for missing patches," he explains. "Lots of malware can be patched against - malware exploits are a growing trend right now.

"And we revised our compliance product based on feedback. A key piece was creating policies - it was a manual process, now we have an expert system to analyse a system set-up and replicate that. Creating policy is hard, measuring it is harder, then you have to enforce. Systems get worse so you have to keep remediating."

Yet with all those new areas to explore, he can't shake off the past. In particular, Windows NT which he helped develop - and which Microsoft keeps trying to kill off - is still good business for Shavlik Technologies.

"We do a lot of work to support NT," Shavlik says, "because it's still out there."