Security patch testing and deployment phase

Since it is very difficult to establish a security patch testing environment that is an exact replica of a production environment, the testing phase is typically the most problematic. This can be due to costs, and the presence of various operating systems and applications within the environment.

Testing the security patch
A security-related patch can affect many different parts of a system depending on the issue is it is supposed to fix and what is contained within the patch to do so. Therefore, testing must be included in the patching procedure and conducted for each patch planned for deployment. The goal of testing is to ensure that when a patch is deployed, the system's operations and applications are not impacted and business is not interrupted. To achieve this goal, the following minimum conditions must be met, and their success documented, before proceeding to the deployment phase:

• The testing environment simulates a majority of the targeted platforms
• The software delivery process succeeds on the targeted test platform
• The patch is installed on the target platform without significant issues
• Previously functioning operations on the target platform continue to operate after installation of the patch
• The patch is successfully removed in case of problems

If any of these conditions is not met, additional testing is performed prior to deploying the patch onto a vulnerable system. A few iterations may be required to ensure successful deployment and to reduce the risk of negatively impacting the affected system.

Deploying the security patch
Once the security patch successfully passes through the testing phase, you can begin the physical deployment process. Patches must be deployed in a manner that guarantees repeatability, consistency, status tracking and error logging...

Some organizations with limited test environments deploy patches onto a group of 'pilot' systems prior to rolling them out to the entire organization. If this method is used, the patch must be given enough time on the pilot systems to ensure no issues are identified. Once a pre-determined amount of time has passed and the deployment to the pilot systems is deemed successful, a full deployment to the remaining devices or nodes is scheduled.

The pilot method can be useful for affected servers as well. However, non-critical servers should be patched first and given the proper burn time. Again, once the pre-determined amount of time has passed, the patch can be installed on all the affected servers, including the highly critical ones.

When all the systems have been patched, the individual or group responsible for the tool reports the status of the deployment to their team.

ABOUT THE AUTHOR:

[IMAGE]Felicia Nicastro, CISSP, CHSP, ISSMP is a Principal Consultant with International Network Services (INS), with over seven years in the information security field. Felicia's areas of expertise include security policies and procedures, security assessments and security architecture planning, design, implementation and operation. Felicia has also authored a book on patch management, titled Curing the Patch Management Headache, which was released in February 2005.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Application and Platform Security,   Enterprise Vulnerability Management,   Security Patch Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.