Hot Stuff: Help With Patching Software
Recent news stories in the industry include summaries of analyst reports that indicate patch management costs are reaching significant levels (a recent quote from The Yankee Group indicates that “The cost to patch 5,000 desktops is more than $1 million, an average of $254 per desktop.”) Given that Microsoft released over 50 security bulletins in 2003 and that the pace for 2004 is on par with last year, this poses significant cost potential for organizations of all sizes. Given further that the critical nature of many security patches makes their application more mandatory than optional or discretionary, organizations can clearly use some help in dealing with same. Fortunately, lots of tools are available to help companies and organizations manage and apply their patches. Here are some examples:
- Microsoft’s own Baseline Security Analyzer can offer some help with this situation, in scanning for patches that may still be pending, but as a free tool it doesn’t offer the kinds of capabilities and facilities included in other tools mentioned here.
- Shavlik is the organization that built the code on which MBSA is based. That company offers a collection of tools that include HFNetChkPro, HFNetChkPro AdminSuite, as well as other security configuration and setting inspection and monitoring tools. These take the basic MBSA capabilities and help to further automate and enhance them.
- Marimba offers anti-virus and patch management solutions that scan for and detect vulnerabilities and offer automatic remediation for same. These work in networks of all scales, from single segments to vast, distributed multi-site, multi-technology networks.
- Opsware offers a software management environment that includes a Patch Management Subsystem that not only automates patch collection, distribution, and application, but also permits organizations to standardize on patch levels and requirements. It even makes sure that as new clients and servers are built, they meet the same requirements (and match the same configurations) as up-to-date systems already in production use.
- Ecora offers a Patch Manager software product that inventories and tracks systems and software within organizations by type and category (clients and servers, along with key applications and data collections) and enforces patch compliance. The product uses auto-discovery to recognize systems and applications, provides patch testing and severity ratings as a service along with deployment recommendations, and supports a variety of remediation schemes for patch application. It also offers automated patch rollbacks and extensive reporting capabilities, as well as policy-based patch analysis and remediation approaches.
A quick visit to your favorite search engine will reveal that “patch management tools” turns up scads of other potential help for software patching problems. As with so much else in the field of information security, knowing about patches isn’t enough—it’s necessary to routinely do something about them. And indeed, this is where this kind of tool can help.