Select Page

Patch management is one among the major IT Security concerns most of the organizations are worried about. It is practically not possible to have a 100% of the IT infrastructure patched with all patches released by all the software vendors in the environment. Following are some of the key challenges faced by the organizations in achieving higher compliance towards the patch management

  • IT environments are heterogeneous with various software vendors are having different patching mechanisms
  • In addition to the operating systems, applications,application servers and application plugins are required to be patched as and when there are vulnerabilities identified. How often you patch Acrobat reader or 7 zip? What about that apache server running a small interface application?
  • Many Open source software tools have less reliable patch management mechanisms. How about a fork developed for a specific application? What about the application developed by an independent consultant? What about the support guarantees and vulnerability management clauses in the same? Not many open source companies are providing dedicated support. How about a particular plugin of your favourite open source content management system like Drupal, WordPress, Joomla or any similar ones? What if the plugin is already abandoned by the developer?
  • Limited understanding of IT Administrators about a specific patch as to whether it is applicable in the environment or not. DBA.s often consider that some of the patches are not applicable for the database they are running even though the vendor recommends the implementation.
  • Lack of effective coordination with IT and business functions like application administrators, DBAs, end users, business owners etc for applying specific patches like Oracle (DBA is concerned about it), IPS (business may not want a down time), Online Banking application (downtime & new compatibility is a concern for business) etc. It is true that many of the concerns can be tested and validated by respective group of people before patching the production systems; however, many consider it as a risk (from availability perspective) to apply patches in the production unless it is proved as a requirement.
  • Compatibility issues of underlying software. This is especially applicable in the case of browsers. Let us assume one of your application requires 2 months time to get it upgraded so as to have compatibility with the latest browser upgrade? How is it handled?

No software companies are releasing new versions of the software in every 6 months. So what are there software developers are doing? Most of them are developing patches for the weaknesses identified and release patches very often. Now, the challenges of an IT Security professional is to cope up with the above challenges and protect the organization from the vulnerabilities which are not patched, but publicly announced (many times the zero day ones as well). The organizations patch cycle may not meet the vendors patch release. For example, Patch Tuesdays from Microsoft are monthly. Adobe and Mozilla talks about it once in two weeks. Chrome does it much often. Then we have other vendors which does it on ad-hoc basis.

It is a very difficult process to maintain high patch management level This leaves the organization into partial darkness when it comes to vulnerability management. There are many solutions offered by software vendors, however, many of them work in isolation. For example, WSUS from Microsoft addresses only the MS patches and not acrobat or flash. Not many solutions address the application patches or *NIX patches. Databases patches are another in the list. Virtual patching is another solution put forward by many vendors to address majority of these problems.

IT IMHO, it is important for an organization to have a comprehensive Vulnerability Management plan which addresses most of the above challenges. The solution should address the requirements such as:

  • Discovering the vulnerabilities
  • Assess the vulnerabilities
  • Remediation of the vulnerabilities
  • Assess the compensating controls
  • Assess the post effects of the new patches

What are your thoughts on this? What are the challenges in your opinion and how often you get into this rat race?