Avoiding Trade-offs

"The dilemma has been in deciding whether the risk associated with an unpatched vulnerability is greater than that associated with deploying an untested patch," Hoff said. He added that Blue Lane's appliance saves him from having to make an either/or decision.

Although Determina's approach requires users to install new code on production systems, the size of the added software is so small that it poses few risks, said the director of information security at a large oil company. The security director, who asked not to be named, tested Determina's software at a previous employer and now wants to install it at his current company.

Richard Ptak, an analyst at Ptak, Noel & Associates Inc. in Amherst, N.J., said that with hackers taking advantage of new software flaws more and more rapidly, IT staffs are coming under increasing pressure to deploy patches as quickly as they can -- often without appropriate testing.

"On the one hand, you want to protect your resources," Ptak said. "On the other, you don't want to run the risk of messing up your production environment."