Primer: Patch Management

By David F. Carr Print this article Print

Specialized software automates the installation of patches.

  • What is it? Patch management ensures that vendor-supplied software patches are distributed to and installed on all computers that require a particular update. Patching system vulnerabilities properly has emerged as a critical information security issue, particularly for Windows desktop computers. Patch management software products automate the process on a large scale.

  • Why is it important? About 90% of information security breaches are related to a known system vulnerability that was not properly patched, by an estimate from Gartner. Microsoft alone has been releasing software patches at the rate of more than one a week since 2002, so it's no wonder organizations have trouble keeping up. Software patches have the potential to cause their own problems, and can sometimes even damage existing applications.

  • Who are the vendors? In addition to patch management specialists such as PatchLink, BigFix and Shavlik Technologies, patch management capabilities are available from configuration management software vendors such as Altiris, BMC Software (through the Marimba software distribution technology it acquired in 2004), LANDesk and ManageSoft, as well as security and vulnerability management firms like Citadel Security Software and Configuresoft.

    Microsoft supports patch management through its Systems Management Server (SMS) product, as well as a free offering called Software Update Services, which uses the automatic update component embedded in Windows 2000, Windows XP and Windows 2003 Server.

  • Is this just a Windows issue? No. System vulnerabilities also appear periodically in Unix, Linux and popular open-source software such as the Apache Web server. Other types of patches need to be implemented to improve system performance or stability. However, the large number of Windows desktop computers and occasionally connected laptops at most corporations makes it a bigger challenge to patch those systems reliably. Windows patch management also receives more attention because most Internet worms spread by exploiting Windows vulnerabilities, even after patches were available, because many systems had not been patched properly.

    Jim Richardson, a network consultant with CPI Solutions in Camarillo, Calif., got his introduction to patch management while he was employed at Dole Foods. The patch management project there, he says, revolved around Microsoft's SMS because it started after "we got hit pretty hard by one of the Windows Internet worms." Microsoft's product worked well there, and he continues to recommend it in his consulting work, "but there was a lot of trial and error to get the system to be finely tuned."Systems administrators need to concentrate on minimizing the network congestion and downtime from system reboots that can accompany patch distribution, he says.

  • Can configuration management software do the job? Many configuration management products now include patch capabilities. Patch management-specific vendors distinguished themselves by helping systems managers analyze and test patches to ensure they don't cause more problems than they solve before they are released. Gartner analyst Mark Nicolett notes, however, that because configuration management vendors have improved their patch features, he generally recommends them for organizations that have established, or are in the process of establishing, an enterprisewide software distribution and configuration system.

    This article was originally published on 2005-05-04
    David F. Carr David F. Carr is the Technology Editor for Baseline Magazine, a Ziff Davis publication focused on information technology and its management, with an emphasis on measurable, bottom-line results. He wrote two of Baseline's cover stories focused on the role of technology in disaster recovery, one focused on the response to the tsunami in Indonesia and another on the City of New Orleans after Hurricane Katrina.David has been the author or co-author of many Baseline Case Dissections on corporate technology successes and failures (such as the role of Kmart's inept supply chain implementation in its decline versus Wal-Mart or the successful use of technology to create new market opportunities for office furniture maker Herman Miller). He has also written about the FAA's halting attempts to modernize air traffic control, and in 2003 he traveled to Sierra Leone and Liberia to report on the role of technology in United Nations peacekeeping.David joined Baseline prior to the launch of the magazine in 2001 and helped define popular elements of the magazine such as Gotcha!, which offers cautionary tales about technology pitfalls and how to avoid them.
    eWeek eWeek

    Have the latest technology news and resources emailed to you everyday.