Patch Management Systems: Evaluation Criteria and Capabilities
Shopping for a patch management system? Experts say you should look for these features.
By Mary Brandel
November 09, 2009 — Analysts and CISOs suggest putting the following considerations on your patch management shopping list. Also see the related in-depth How to Compare Patch Management Software.
Evaluation Criteria
The following are criteria to consider when choosing a patch management system:
- Range of operating systems supported (Microsoft, Unix, Linux, Mac OS, etc.)
- Range of applications supported (Adobe, Mozilla, RealNetworks, Apple, Java)
- Agent-based or agentless
- Types of real-time reporting available (patches deployed, when, by whom, to which endpoints, etc.)
- Scalability
- Ability to operate on low-bandwidth or globally distributed networks
- Ability to manage computers on or off the network
- Change control (ability to change settings back, pause deployments, etc.)
- Licensing options (subscription-based, perpetual or both)
- Ease of use
- Integration with other security and configuration management systems and capabilities
Range of Capabilities
A full-featured patch management system should do the following:
- Research: Receive information about new patches from vendors and push this information to the patch server.
- Asset discovery: Scan the network to produce a full inventory of IT assets, and provide flexible ways to group and classify these assets.
- Vulnerability assessment and prioritization: Identify vulnerabilities based on the specific endpoints in the environment and rank them in terms of which will have the most impact and which are most important to address.
- Remediation: Continuously deploy, monitor, detect and enforce patch management policies.
- Reporting: Provide real-time reports that satisfy the needs for auditing, compliance and management oversight.
Other stories by Mary Brandel
In-depth information on tools and strategies for writing secure code, finding vulnerabilities, and other critical application security issues
10 steps to secure browsing
Holistic patch management, browser settings, filtering, and other tactics
Vulnerability management: The basics
5 key tenets for making the most of vulnerability management efforts
Software security for developers
Building security in, from the requirements phase through deployment
Software security for app dev managers
Building and managing a software security program that pays off
How to use source code analysis tools
How to use web application vulnerability scanners
How to compare patch management software
Ranum: Does disclosure work?
- A Step-by-Step Guide to Building Virtualization Maturity and Maximizing Virtualization Outcomes
- A Road Map for Best Practice Social Media Acceptable Use Policy
- LogRhythm: The Platform for Cyber Threat Defense, Detection & Response
- LogRhythm CTO & Co-Founder takes "Deep Dive" Into LogRhythm's SIEM 2.0 Platform
- KPMG & LogRhythm: Apply Continuous Monitoring via SIEM 2.0 for Maximum Visibility & Protection
- Introduction to VMware vCenter Site Recovery Manager 5
- M86 report proves water is wet
No disrespect toward M86 Security intended. I've used a lot of their research in the past and they are always a pleasure to work with. But the latest report they sent me represents a big problem I'm finding with these documents lately: They tell us nothing new. Therefore, they are not helpful.
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
- SECURITY WISDOM WATCH: Gee Whiz Edition
More Salted Hash with Bill Brenner
