Application Patch Management – CompTIA Security+ SY0-401: 4.1

A patching strategy for an application should be well designed. In this video, you’ll learn about application patch management, how different operating systems are patched, and some of the challenges with maintaining a well patched computing environment.

<< Previous Video: Application Configuration Baselining and HardeningNext: SQL and NoSQL Databases >>

One of the constant things that you will find is that your applications will always need to be updated. There are so many different ways to go about doing this.

But we also have to think about why we would want to update our applications. One is to get some additional features. A new version comes out. It’s got a most requested capability. It has some features that are going to add value to the way that you use that application. So it makes perfect sense to update your application that way.

Occasionally, you will find bugs. You’ll find problems with the way that the application works. And so the people who develop the application will fix those bugs and provide you with an updated version that fixes all of those problems.

We also need to think about, of course, security. If you find a security vulnerability in an application, it obviously is going to be very important to have that application to the latest version. You don’t want to have the bad guys discover that you’re using this application that has this known vulnerability. Because they’re going to attack it. They’re going to exploit that vulnerability so that they can use the application for their own purposes.

These application updates will often come in through the operating system updater itself. In Windows, for instance, there’s the capability of Windows Update, which provides you with the front end to update not only your operating system, but the applications that you’re running in your operating system, if those applications are from Microsoft. It’s a very simple way to have this work. It’s in many cases automated. And it is an individual workstation by workstation method. You would use your Windows update on a machine to update the local operating system for that.

If you’re in a larger environment, though, that could be a bit tedious. You don’t want 1,000 different computers all going out to Microsoft, all downloading exactly the same patches. That’s going to use up a lot of your internet bandwidth. So what many administrators prefer doing is using the Windows Server update services. And that Windows Server update services centralizes in the Patch Manager that’s a server in your organization. The patch server downloads the patches, and then it provides the patches to the end user workstations.

Obviously, you have to configure every workstation to be able to use that centralized patch management server. But in the Windows environment, that’s done through global policies. It’s an automated process. When you’re in a very large domain, it’s not as hard as it actually sounds. And once you have that server set up, it’s very efficient. And you have control over exactly what patches are pushed out and when they are pushed out to the end users. If you’re in Mac OS X, then you have the Apple menu’s software update option. So you can update the software on an individual basis in that OS.

Every operating system has these– Linux, of course. You can use many different ways to do this in Linux. And it depends exactly on the distribution. You can use rpms or yum or apt-get. If you’re running this in a GUI, you can run a software update in the GUI itself so that you can process it that way. Regardless of the operating system, you’re going to want to use whatever method is available to you to make sure you keep the operating system and your applications up to date.

Keeping your systems up to date is not the easiest thing. It takes a lot of management. It takes a lot of study to understand what patches are out there.

Let me give you a good idea of this. This is a Windows 7 machine that I’ve not patched in quite some time. I’m going to go to my Start menu, right to the Control Panel. And as we mentioned, Windows has a Windows Update feature that I can choose. This Windows Update is going to show me exactly what updates are available. There are 28 important updates available, and 52 optional updates. Now you have to make a decision. Of these 80 different updates that are out here, which ones do we put on our computer?

If I look at the important updates, you’ll see a big list come up. I have no idea what these are. In fact, you’ll see a lot of them are called Security Update for Windows 7. And there’s no other explanation of this, other than the knowledge base article and the information to the side that tells us about it. Now fortunately, there’s more information. We can always click More Details. It will open up a browser and give us more information on Microsoft site on what that specific patch is going to provide for us.

And we as the security people now have to decide is this a patch that makes sense to deploy on our workstations? Is this patch going to break one of our critical applications? Very often, we get these updates from Microsoft. We now have to go test them. Let’s take our test machine in our lab. Let’s load up these patches. Let’s run the apps that we run internally, and make sure that it’s not going to break anything. And then we’re going to deploy them.

Obviously, that takes time. And when you have a vulnerable operating system, you don’t want to keep it vulnerable for very long. So there’s a balancing act between making sure that our systems continue to operate and keeping them secure. And that’s, from a security perspective, something we always have to keep in mind.

Once you’ve tested the patch, you’re sure that it’s going to work on your system, it’s not going to break any other applications, and you’re able to deploy it, you then have to go back and reconsider doing another application-level baseline. Now that our system is using a new set of patches and it’s at a different security level, we want to be sure that we understand exactly what’s included with those patches. So that if we need to rebuild another system, or we need to check the security of our app, we’ll know exactly the operating system that it’s running on.