Patch management is an administrator’s control over operating system (OS), platform, or application updates. It entails identifying system features that can be improved or fixed, creating that improvement or fix, releasing the update package, and validating the installation of those updates. Patching—along with software updates and system reconfiguration—is an important part of IT system lifecycle management.
Patches are new or updated lines of code that determine how an operating system, platform, or application behaves. Patches are usually released as-needed to fix mistakes in code, improve the performance of existing features, or add new features to software. Patches are always released as updates to existing software, and are not newly compiled OSs, platforms, or applications.
Patches can also impact hardware—like when we released patches that altered memory management, created load fences, and trained branch predictor hardware in response to the Meltdown and Spectre attacks of 2018 that targeted microchips.
Because modifications like these are usually quicker to distribute than minor or major software releases, patches are regularly used as network security tools against cyber attacks, security breaches, and malware—vulnerabilities that are caused by emerging threats, outdated patches, or system misconfigurations.
Because patching without a plan can get messy.
Enterprise IT environments can contain hundreds of systems operated by large teams—requiring thousands of security patches, bug fixes, and configuration changes. Even with a scanning tool, manually sifting through data files to identify systems, updates, and patches can be onerous.
Patch management tools help generate clear reports on which systems are patched, which need patching, and which are noncompliant.
Patch management solutions can be paired with automation software to improve configuration and patch accuracy while reducing errors. The added capabilities automation provides can mean identifying, testing, and patching systems with reduced manual input.
For example, a handful of Red Hat Ansible Automation Platform modules can automate portions of patching processes, including invoking HTTP patch methods, applying patches using the GNU patch tool, and applying (or reverting) all available system patches.
There are some servers that work together for one customer, and must be rebooted in a specific order since they work together, so the ansible playbook/script ensures that happens.
Identify systems that are noncompliant, vulnerable, or unpatched.
Prioritize patches based on the potential impact.
Patch often. Patches are usually shipped once a month or sooner.
Test patches before placing them into production.