Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems. This document outlines the procedures for managing patches to ensure that systems are up-to-date and secure.

Objectives

  • Ensure the security and stability of IT systems.

  • Minimize the risk of vulnerabilities.

  • Maintain compliance with industry standards and regulations.

  • Provide a structured approach to patch management.

Process

Identification

  • Regularly check vendor websites, security bulletins, and automated tools for new patches especially from Azure

  • Use https://trivy.dev/ or comparable tool to automatically scan each build artifact for known vulnerabilities and regularly check results of the scans

  • Regularly check Bug Bounty Program reports for reported vulnerabilities

  • Regularly check GH Advanced Security CodeQL scan reports for reported vulnerabilities in code

Automation

  • Use renovate or dependabot to automatically create patches for libraries used in source code

  • Automatically rebuild all images at least once a week to apply latest base image and OS vulnerability patches on a continuous basis

Evaluation

  • Evaluate criticality of each patch based on CVSS 3.1 and apply according to timelines:

...

  • Ensure patches compatibility with existing systems and applications

Deployment

  • Test patches in test environments or on non-critical systems first

  • Ensure backups are available before applying patches to production systems

  • Apply patches during low-usage periods to minimize disruption if disruption is anticipated

Verification

  • Verify that patches have been successfully applied, that systems are functioning correctly and that vulnerabilities are not exploitable anymore

...