According to the former Equifax CEO’s testimony to Congress, one of the primary causes of this now infamous data breach was the company’s failure to patch a critical vulnerability in the open source Apache Struts Web application framework. Equifax also waited a week to scan its network for apps that remained vulnerable.[1]Would you like to appear at the next Congressional hearing on patch management?Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems. Patches not only correct security and functionality problems in software and firmware, but they also introduce new, and sometimes mandatory, capabilities into the organization’s IT environment.  It is so useful, the CERT® Coordination Center (CERT®/CC) claims that 95 percent of all network intrusions are avoidable by using proper patch management to keep systems up-to-date. This nightmare true story and compelling endorsement from CERT®/CC, however, masks the ugly operational patch management implementation complexities. Key enterprise challenges include:Timing, prioritization, and testing of patches often present conflicting requirements. Competitive prioritization of IT resources, business imperative, andbudget limitations often leave patching tasks on the back burnerTechnical mechanisms and requirements for applying patches may also conflict and may include:Software that updates itself with little or no enterprise inputUse of a centralized management toolThird-party patch management applicationsNegative or unknown interactions with network access control, health check functions, and other similar technologiesUser initiated manual software updatesUser-initiatedpatches or version upgradesTypical enterprise heterogeneous environment that includesUnmanaged or user managed hostsNon-standard IT components that require vendor patching or cannot be patchedEnterprise owned assets that typically operate on non-enterprise networksSmartphones, tablets, and other mobile devicesPatching of rehydrating virtual machinesFirmware updatesPiling up on these purely operational tasks are the change management steps associated with:Maintaining current knowledge of available patches;Deciding what patches are appropriate for particular systems;Ensuring proper installation of patches;Testing systems after installation;

View Entire Article on