If you have a Microsoft-based infrastructure, you will probably find that Microsoft's free WSUS (Windows Server Update Services) is the easiest way to keep your software up to date. However, if you run customized software or non-Microsoft applications, such as Adobe Reader and Mozilla Firefox, then WSUS will not be sufficient because it won't be able to help you patch these third-party applications.
Although Microsoft's System Center Configuration Manager (SCCM) isn't free, it can handle updates from other software vendors as well as updates for your own internal custom applications, plus bios and firmware for popular hardware vendors. It also gives you better targeting, delegation and reporting than WSUS. If you need to meet particular compliance standards or requirements, then the reporting capabilities of your patch management tool will be a factor in your choice of product, as you need to be able to show the patch status of your network.
For thorough and accurate reports, you'll find it hard to beat Corporate Software Inspector (CSI) from Denmark-based Secunia ApS. It provides a highly detailed software inventory, including both programs and plugins, mapped to security alerts and available updates. CSI can automatically repackage security updates and patches and push them to SCCM, checking that they are applied correctly and all systems are fully compliant.
If you have a limited budget, another free Windows-based patch management software is IT.Shavlik.com a SaaS-based application that is free for managing patch rollouts for up to 10 servers or workstations. If you have a heterogeneous network running different operating systems, then your choice of tool is more limited and you will likely have to pay for a more comprehensive commercial tool.
Well-known names in this field are LANDesk Software Inc.'s Patch Manager, a subscription service that automates vulnerability assessment and patch management throughout a heterogeneous network, and Lumension Security Inc.'s Vulnerability Management Solution aimed at complex, highly distributed environments.
I would recommend only using one tool for auditing -- scanning the network to see what's installed and what's needed -- as there can be inconsistencies between reports from different tools. It can be difficult to maintain consistency across your network if different segments are using different tools. Before you pay for patch management software, be sure you really need the additional features it offers over and above those of the free ones, as you will have to find the budget for training administrators unfamiliar with any new tools.
This was first published in February 2011