Guide to the patch management process
This document is meant to provide details on patch management including the importance of a documented patch management process, how to implement the process successfully, and some common issues and roadblocks to avoid when doing so.
What is a Patch & Why is Patch Management so Important?
A patch is a piece of code that is implemented to correct a coding flaw (system vulnerability). Patching is a very important part of an organization’s cyber hygiene to ensure its systems do not fall victim to those looking to exploit known vulnerabilities.
Given the very public breaches in the past related to exploited vulnerabilities (e.g. Equifax, Yahoo, Facebook, Marriott, etc) and the recent unprecedented Solarwinds 2020 supply chain attack, it is very important for organizations to reduce the risk of a breach. (Read more about what the Solarwinds attack taught us here.) One of the important ways is to review (or create) their patch management processes, to make sure that it is being followed, and that gaps are identified and filled.
Patch vs hotfix
What is the Difference Between a Patch & a Hotfix?
A hotfix is typically considered a patch that would need to be addressed quickly to remediate a typically critical software flaw immediately vs waiting to install the fix on the next patching schedule. On the other hand, a patch is a less urgent fix that would follow the normal patching cycle.
What is a Patch Management Process?
When patches to vulnerabilities need to be implemented, it is very important that a consistent and repeatable process is followed. This will ensure all patches are reviewed, tested, and validated prior to implementation. Developing a patch management policy should be the first step in this process. A patch management policy outlines the process an organization is to take to update code on a consistent and reliable basis to ensure systems are not negatively affected by the change.
