Security Patch Management
Recently released SQL exploit kits remind us of how important it is to patch security vulnerabilities in software. Sadly, most successful attacks use exploits that are well known – but, the patch has not yet been applied. So, who is to blame for not patching the system?
Quite often your system administrator is mistakenly assumed guilty. However, you only need to dig a little deeper to realize that the issue is not negligence, but the huge volume of patches that are released every month by vendors. Security patches come in continuously from a variety of third party commercial products, open source libraries and operating systems.
In essence, security patch management becomes a triage tree which attempts to answer which patches need to be applied and when … balanced against the requirements for production stability. Generally speaking, a patch may be ignored if the product/library/service is not installed. Larger patches or software version upgrades are considered higher risk because of large number of software and system dependencies.
So what do you need to patch? The old security idiom hold true, ‘You need to patch everything to make your system secure and no more!‘ Today’s systems are very complex which implies they are also very fragile. Security patches which are deemed critical are usually remotely exploitable and should be patched as soon as possible. And security patches which are less than critical (i.e. – Important) can probably wait until your next maintenance patch. And when you can, schedule an upgrade to the latest available OS release which has all the security patches already applied.