How to hone an effective vulnerability management program
A comprehensive collection of articles, videos and more, hand-picked by our editors
If you have a Microsoft-based infrastructure, you will probably find that Microsoft's free WSUS (Windows Server...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Update Services) is the easiest way to keep your software up to date. However, if you run customized software or non-Microsoft applications, such as Adobe Reader and Mozilla Firefox, then WSUS will not be sufficient because it won't be able to help you patch these third-party applications.
Although Microsoft's System Center Configuration Manager (SCCM) isn't free, it can handle updates from other software vendors as well as updates for your own internal custom applications, plus bios and firmware for popular hardware vendors. It also gives you better targeting, delegation and reporting than WSUS. If you need to meet particular compliance standards or requirements, then the reporting capabilities of your patch management tool will be a factor in your choice of product, as you need to be able to show the patch status of your network.
For thorough and accurate reports, you'll find it hard to beat Corporate Software Inspector (CSI) from Denmark-based Secunia ApS. It provides a highly detailed software inventory, including both programs and plugins, mapped to security alerts and available updates. CSI can automatically repackage security updates and patches and push them to SCCM, checking that they are applied correctly and all systems are fully compliant.
If you have a limited budget, another free Windows-based patch management software is IT.Shavlik.com a SaaS-based application that is free for managing patch rollouts for up to 10 servers or workstations. If you have a heterogeneous network running different operating systems, then your choice of tool is more limited and you will likely have to pay for a more comprehensive commercial tool.
Well-known names in this field are LANDesk Software Inc.'s Patch Manager, a subscription service that automates vulnerability assessment and patch management throughout a heterogeneous network, and Lumension Security Inc.'s Vulnerability Management Solution aimed at complex, highly distributed environments.
I would recommend only using one tool for auditing -- scanning the network to see what's installed and what's needed -- as there can be inconsistencies between reports from different tools. It can be difficult to maintain consistency across your network if different segments are using different tools. Before you pay for patch management software, be sure you really need the additional features it offers over and above those of the free ones, as you will have to find the budget for training administrators unfamiliar with any new tools.
Related Q&A from Michael Cobb
What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these...continue reading
Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael...continue reading
What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.