Security Patch Management — 7 Do’s and Don’ts

Like other security tasks in development organizations, security patch management is not for the faint of heart. Data breaches like the Equifax fiasco and widespread ransomware attacks like WannaCry make the general public shudder and remind us that known security vulnerabilities don’t go away no matter how vehemently  we ignore them. However, the reality is that when you’re trying to push out releases under aggressive timeframes, implementing a patch management strategy becomes another item in a long list of tasks.

A security patch is like a band-aid for a software version that your organization is already using. As bug bounty and security research outfits work hard to analyze code and locate security issues, applications, firmware and middleware developers continuously work to fix those issues and push out patches to address those security vulnerabilities. Now all we have to do to ensure that our products are secure is to update the vulnerable version that our team or organization is using. Sound simple? It’s not.

That’s where security patch management comes in, making sure that security patches are rolled out efficiently, that security vulnerabilities are detected, that the most critical fixes are prioritized, that patches are tested so that they don’t interfere with other components and processes, and that all teams are working together so that the software development life cycle is still running smoothly.

We’ve put together a list of four recommended best practices and three common mistakes organisations need to avoid when putting together a security patch management strategy.

#1 Do: Come Prepared: Put a Security Patch Management Policy in Place

With new security vulnerabilities discovered and published at an alarming pace, organizations have to make sure that they have laid out the groundwork for addressing and fixing them. Having (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Ayala Goldstein. Read the original post at: