It sounds simple: A scanner identifies a vulnerability, the vulnerability is patched. What happens in between, however, can be far from simple. Yet if you are not on a security team or, more specifically, a vulnerability management team, you would never know the bumpy, winding road that often stretches between scanning and patching.
The Patch Management Process
When vulnerabilities are discovered within applications, networks, systems and other parts of an organization’s environment, the priority for those managing them is to ensure they are patched and up to date. It’s an essential practice that helps maintain security over time and reduces the risk of an attack. But while patching vulnerabilities is a basic concept, the process of patching tends to run on a separate track from the information security team’s, and is often only visible to individuals directly involved with it.
The result is an oversimplification of the patching process. Questions from outside the security organization may surface, such as, “Why not just patch it?” Alas, when it comes to patching, the devil is in the details. Business considerations, such as keeping certain systems running and avoiding technical hiccups like applied patches that do not work, can slow down and temporarily halt the process.
To understand the top issues organizations may face between scanning and finding a vulnerability and actually patching it, I spoke with X-Force Red Hacking Chief Technology Officer (CTO) Steve Ocepek. Steve and his team help organizations around the world fix their most critical vulnerabilities.
I asked Steve to explain the top five bumps in the road that pop up during the process of patching. Here is what he shared.
