This content is part of the Essential Guide: How to hone an effective vulnerability management program
Problem solve Get help with specific problems with your technologies, process and projects.

Valuable third-party patch deployment software, tools

Do you know some of the best third-party patch deployment tools? See expert Michael Cobb's recommendations on which tools would work best for your enterprise.

Could you advise me on the best third-party (free or commercial) patch deployment software, either from personal or professional experience?
Without knowing a little more about the network you're managing, it is difficult to recommend specific patch deployment software. Do you manage a heterogeneous network that is running a variety of different operating systems such as Windows, Linux and Mac? Do you deploy virtual machines or run non-standard applications? These types of issues will affect what type of patch deployment software you need.

If you have a Microsoft-based infrastructure, you will probably find that Microsoft's free WSUS (Windows Server Update Services) is the easiest way to keep your software up to date. However, if you run customized software or non-Microsoft applications, such as Adobe Reader and Mozilla Firefox, then WSUS will not be sufficient because it won't be able to help you patch these third-party applications.

Although Microsoft's System Center Configuration Manager (SCCM) isn't free, it can handle updates from other software vendors as well as updates for your own internal custom applications, plus bios and firmware for popular hardware vendors. It also gives you better targeting, delegation and reporting than WSUS. If you need to meet particular compliance standards or requirements, then the reporting capabilities of your patch management tool will be a factor in your choice of product, as you need to be able to show the patch status of your network.

For thorough and accurate reports, you'll find it hard to beat Corporate Software Inspector (CSI) from Denmark-based Secunia ApS. It provides a highly detailed software inventory, including both programs and plugins, mapped to security alerts and available updates. CSI can automatically repackage security updates and patches and push them to SCCM, checking that they are applied correctly and all systems are fully compliant.

If you have a limited budget, another free Windows-based patch management software is a SaaS-based application that is free for managing patch rollouts for up to 10 servers or workstations. If you have a heterogeneous network running different operating systems, then your choice of tool is more limited and you will likely have to pay for a more comprehensive commercial tool.

Well-known names in this field are LANDesk Software Inc.'s Patch Manager, a subscription service that automates vulnerability assessment and patch management throughout a heterogeneous network, and Lumension Security Inc.'s Vulnerability Management Solution aimed at complex, highly distributed environments.

I would recommend only using one tool for auditing -- scanning the network to see what's installed and what's needed -- as there can be inconsistencies between reports from different tools. It can be difficult to maintain consistency across your network if different segments are using different tools. Before you pay for patch management software, be sure you really need the additional features it offers over and above those of the free ones, as you will have to find the budget for training administrators unfamiliar with any new tools.

This was last published in February 2011

Dig Deeper on Microsoft Patch Tuesday and patch management