Software Patch Management Systems

Software patching is a tricky beast. As we’ve already discussed in some detail (see Patch and Pray), the number of patches issued in any given month has swelled to the point of crisis, and patches applied to one application have a nasty habit of negatively affecting other software on the same system.

Long term, a crucial part of the solution will be releasing applications with fewer flaws. In the meantime, though, CISOs are looking to patch management vendors to help mitigate their pain. Problem is, as with so many areas of security software, “patch management” systems vary widely in their functionality.

Some vendors (such as PatchLink) provide pure-play patch management software. Others make patching part of a larger suite of system or network management capabilities. Poke around and you’ll find patching-related tools bearing all kinds of labels: configuration management, distribution automation, asset management, vulnerability mitigation, and systems and desktop management. CISOs at bigger companies may have more complex patch management requirements but, then again, may already have some software distribution capability built into a network management product such as IBM’s Tivoli or Computer Associates’ Unicenter. “Whether you need a dedicated patch management system is a function of what other [management functions] you’re doing,” says Pete Lindstrom, research director of Spire Security, an infosecurity research company. “I know some people who just push their updates out on the network using Novell Zenworks,” another multipurpose systems management tool, Lindstrom says.

With so many levels of functionality to choose from, the list of patch management purveyors for CISOs to consider can be fairly lengthy (see “Finding It Online,” below, for a sample). However, that might well change during the next year. The biggest names in dedicated patch management tools are still small fish. Symantec’s late 2003 announcement of its acquisition of ON Technology likely indicated the beginning of consolidation in this market, probably in the form of the software industry’s goliaths getting even bigger by acquiring these specialist companies.

That’s probably a good thing, considering the complexity of system management issues that can be affected by software patches. Bigger vendors may be able to devote more resources to developing more robust offerings that can, for example, automate some of the testing process for corporate buyers. That’s something Lindstrom says current tools don’t do well. Particularly in Microsoft operating system environments, the ability to understand which files are being altered by a patch is a much-needed capability, he says.

“Depressing as [patch management] is from a big-picture point of view, you have to keep trying, and any piece you can automate will make a dramatic difference. Patching plays to the security pros’ interests anyway. It’s something they can do proactively,” whereas so much of the infosecurity profession is after-the-fact response, Lindstrom notes.