Patch deployment timeline

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

BROWSE BY TAG Platform Security,   Application and Platform Security,   Enterprise Vulnerability Management,   Security Patch Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security What are the security risks of Windows Vista RSS functionality? How to harden Linux operating systems What are the key provisions of Massachusetts Executive Order 412? A simple substitution cipher vs. one-time pad software When should a virtual patch be used? What is the best operating system for an FTP server implementation? Are encrypted, self-deleting USB storage drives worth the investment? Can read/write access policies be put on a SAN server? Is it more secure to have a mainframe or a collection of servers? Should open source disk-encryption software be used? Security Patch Management Adobe patches ColdFusion vulnerability blocking website attack Microsoft to address DirectShow, ActiveX zero-day flaws Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

It very much depends on how critical the patch is, how homogenous your server and workstation configurations are, and if you use automated patch management tools. You have to be able to test and decide whether to deploy a security-related patch in just a few days as the length of time between the awareness of a vulnerability and the introduction of an exploit is shrinking fast. Other patches can be tested and deployed over a longer period of time. Ideally, you have a complete system inventory that prioritizes all your machines, so you can plan your patch strategy around your critical systems and develop a security policy that defines your organization's stance on patch prioritization, testing and deployment. Personally, I prioritize patches by putting them in to one of two categories: security-related and everything else. For example, defending against an Internet worm is far more important than a functional issue in Microsoft Outlook.

Testing patches prior to deployment is a major roadblock to full automation. And if you have complex, heterogeneous systems, it will lengthen the testing process because it will take longer to test the patches in a variety of systems' configurations. Vendor patches can contain errors that require yet another patch to fully fix the problem, so it is essential that you adhere to strict validation and testing and document risk assessments prior to deployment when possible. You may have to compromise this practice, however, when the risk of an attack is deemed to outweigh the risk of system downtime. Remember, part of the patch management process involves ensuring that they are properly installed and monitoring that they are working as expected. Deploying patches to remote users can be a real headache because they may not be connected at the time of deployment. This can leave a network vulnerable if a laptop connects to the network after being infected by other sources.

Microsoft realized there were problems associated with keeping systems patched and up-to-date and revamped their Software Update Services, now calling it Windows Update Services. Now their Systems Management Server 2003 offers advanced patch deployment, reporting and compliance-enforcement features. There are also a wide variety of third-party patch management solutions. These are either scanner-based or agent-based, which install small programs on each computer to periodically poll a patch database for new updates, giving the administrator the option of applying the patch. Although agent-based solutions require set up work to integrate agents into workstations and servers, they are better-suited to large organizations than scanner-based solutions as they generate less network traffic and provide a real-time network view. I would recommend using at least one management solution along with strict policy rules in order to be able to role out patches in a reasonable time frame.

Finally, you may be interested in a paper titled, Timing the Application of Security Patches for Optimal Uptime by WireX Communications and Zero Knowledge Systems, which tries to factor in the problem of glitches in new patches while calculating the ideal time to apply patches after their release. According to their model, after 10-30 days is the ideal time.