We help IT Professionals succeed at work.

patch/vulnerability management process

Are there any useful guides which break down into a set of best practices how to handle patching & vulnerability management. Every time we look into it there's just links to commercial tools which you can use to scan for out of date software but whereas it will point out where you aren't doing so well (e.g. outdated software, unsupported software etc), what I am more after is some detailed best practices on how to manage the patching/remediation process in general, considerations that are needed to help define & implement your policies and procedures around etc. If there is such a thing then that would be most helpful.  I was going to look through PCI DSS as that is a set of expected controls with some detail rather than just links to an expensive vulnerability scanner or scanning service to tell you how bad/well you are doing.
Watch Question

Exec Consultant
Distinguished Expert 2019
NIST has good implementation guidance


This may be handy to the policy development as the key is to first establish the intent hence the below question helps chart the writing.

For example, organizations should implement and use appropriate measures for their enterprise patch management technologies and processes.

Examples of possible implementation measures include:

• What percentage of the organization’s desktops and laptops are being covered by the enterprise patch management technologies?

• What percentage of the organization’s servers have their applications automatically inventoried by the enterprise patch management technologies?

Examples of possible effectiveness/efficiency measures include:

• How often are hosts checked for missing updates?

• How often are asset inventories for host applications updated?

• What is the minimum/average/maximum time to apply patches to X% of hosts?

• What percentage of the organization’s desktops and laptops are patched within X days of patch release? Y days? Z days? (where X, Y, and Z are different values, such as 10, 20, and 30)

• On average, what percentage of hosts are fully patched at any given time? Percentage of high impact hosts? Moderate impact? Low impact?

• What percentage of patches are applied fully automatically, versus partially automatically, versus manually?

Another more in depth coverage would be considered as following

Patch management policy. IT management needs to define policies that governs the patch management activities within the organization including who, how and when patches are tested and applied into production systems.

Assets inventory. IT needs to know every asset in its environment in order to identify which patches are needed when vendors make them available.

Patch testing. A procedure and a lab environment are required to test patches before applying it into the production environment.

Structure and planning. The complexities of the modern IT stack, with its numerous points of integration, customized pieces, add-ons, etc. that are often spread among multiple locations as well as mobile endpoints, make patching more complicated. Access to the infrastructure component map is required to properly manage the patch testing and installation processes.

Ownership and accountability. A typical IT department has many workers who apply patches as part of their portfolio of responsibilities; as a result, patch management can become a task done by many but owned by no one. It is difficult for an enterprise to have a strong patch management process without clear accountability.

Document. A strong patch management discipline should include a way to identify and document patches as they are released by vendors, when they are scheduled to be tested and deployed in the enterprise, and when the patches have been completed.
madunixChief Information Officer, EE MVE
Most Valuable Expert 2019
Per ISACA, patch management system is a preventive control in that it corrects discovered weaknesses by applying a patch to the original program code that eliminates the weakness preventing exploitation.

Make sure that a patch management system is in place to ensure that all relevant patches are installed. This is especially important for any patches released that apply to the OS and software applications.  Implement patch management software that will allow you to test software updates, and then deploy them efficiently. Vendors release security fixes frequently; incorporating these fixes into your environment can halt the impact of a system breach.

Beware, incident management often includes vulnerability management and security awareness training. It may consist of proactive activities intended to help prevent incidents.

Check the following:

The U.S. government's repository of vulnerability management data. Data is maintained in the machine-readable format specified by the Security Content Automation Protocol (SCAP). NVD includes databases of security checklists, security-related software defects, misconfigurations, product names, and impact metrics. https://nvd.nist.gov

A searchable archive of exploits and vulnerable software, supplied in a standard format. https://www.exploitdb.com/

Common Weakness Enumeration (CWE), sponsored by MITRE, provides a catalog of software weaknesses and vulnerabilities, with the goal of reducing security-related software flaws and creating automated tools to identify, correct, and prevent such flaws.  http://cwe.mitre.org/