Introduction
Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems. This document outlines the procedures for managing patches to ensure that systems are up-to-date and secure.
Objectives
Ensure the security and stability of IT systems.
Minimize the risk of vulnerabilities.
Maintain compliance with industry standards and regulations.
Provide a structured approach to patch management.
Process
Identification
Regularly check vendor websites, security bulletins, and automated tools for new patches especially from Azure
Use https://trivy.dev/ or comparable tool to automatically scan each build artifact for known vulnerabilities and regularly check results of the scans
Regularly check Bug Bounty Program reports for reported vulnerabilities
Regularly check GH Advanced Security CodeQL scan reports for reported vulnerabilities in code
Automation
Use renovate or dependabot to automatically create patches for libraries used in source code
Automatically rebuild all images at least once a week to apply latest base image and OS vulnerability patches on a continuous basis
Evaluation
Evaluate criticality of each patch based on CVSS 3.1 and apply according to timelines:
...
Ensure patches compatibility with existing systems and applications
Deployment
Test patches in test environments or on non-critical systems first
Ensure backups are available before applying patches to production systems
Apply patches during low-usage periods to minimize disruption if disruption is anticipated
Verification
Verify that patches have been successfully applied, that systems are functioning correctly and that vulnerabilities are not exploitable anymore
...