Tip

Security patch testing and deployment phase

Felicia Nicastro, CISSP, CHSP, ISSMP

Since it is very difficult to establish a security patch testing environment that is an exact replica of a production environment, the testing phase is typically the most problematic. This can be due to costs, and the presence of various operating systems and applications within the environment.

Testing the security patch
A security-related patch can affect many different parts of a system depending on the issue is it is supposed to fix and what is contained within the patch to do so. Therefore, testing must be included in the patching procedure and conducted for each patch planned for deployment. The goal of testing is to ensure that when a patch is deployed, the system's operations and applications are not impacted and business is not interrupted. To achieve this goal, the following minimum conditions must be met, and their success documented, before proceeding to the deployment phase:

  • The testing environment simulates a majority of the targeted platforms
  • The software delivery process succeeds on the targeted test platform
  • The patch is installed on the target platform without significant issues
  • Previously functioning operations on the target platform continue to operate after installation of the patch
  • The patch is successfully removed in case of problems

If any of these conditions is not met, additional testing is performed prior to deploying the patch onto a vulnerable system. A few iterations may

    Requires Free Membership to View

be required to ensure successful deployment and to reduce the risk of negatively impacting the affected system.

Deploying the security patch
Once the security patch successfully passes through the testing phase, you can begin the physical deployment process. Patches must be deployed in a manner that guarantees repeatability, consistency, status tracking and error logging. This is typically achieved with a patch management tool. There are myriad options available and organizations should use the tool that best fits their environment. Depending on how the roles and responsibilities of the patch management procedure are documented, the tool administrator, server administrator or desktop group can deploy a patch. These roles and responsibilities should be defined in advance within the patch management process itself.

Some organizations with limited test environments deploy patches onto a group of 'pilot' systems prior to rolling them out to the entire organization. If this method is used, the patch must be given enough time on the pilot systems to ensure no issues are identified. Once a pre-determined amount of time has passed and the deployment to the pilot systems is deemed successful, a full deployment to the remaining devices or nodes is scheduled.

The pilot method can be useful for affected servers as well. However, non-critical servers should be patched first and given the proper burn time. Again, once the pre-determined amount of time has passed, the patch can be installed on all the affected servers, including the highly critical ones.

When all the systems have been patched, the individual or group responsible for the tool reports the status of the deployment to their team.


Step by Step: Best practices for security patch management

  Introduction
  How to prepare for security patch testing
  Security patch testing and deployment phase
  Security patch validation and verification

ABOUT THE AUTHOR:
Felicia Nicastro, CISSP, CHSP, ISSMP is a Principal Consultant with International Network Services (INS), with over seven years in the information security field. Felicia's areas of expertise include security policies and procedures, security assessments and security architecture planning, design, implementation and operation. Felicia has also authored a book on patch management, titled Curing the Patch Management Headache, which was released in February 2005.

This was first published in September 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.