Vulnerability Patch Management Process
- Andreas Hauri
- Michael Dreher
Introduction
Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems. This document outlines the procedures for managing patches to ensure that systems are up-to-date and secure.
Objectives
Ensure the security and stability of IT systems.
Minimize the risk of vulnerabilities.
Maintain compliance with industry standards and regulations.
Provide a structured approach to patch management.
Process
Identification
Regularly check vendor websites, security bulletins, and automated tools for new patches especially from Azure
Use Trivy Home - Trivy or comparable tool to automatically scan each build artifact for known vulnerabilities and regularly check results of the scans
Regularly check Bug Bounty Program reports for reported vulnerabilities
Regularly check GH Advanced Security CodeQL scan reports for reported vulnerabilities in code
Automation
Use renovate or dependabot to automatically create patches for libraries used in source code
Automatically rebuild all images at least once a week to apply latest base image and OS vulnerability patches on a continuous basis
Evaluation
Evaluate severity of each vulnerability based on CVSS 3.1 and apply according to timelines:
Critical/High | 1 month |
|---|---|
Medium | 3 months |
Low | 6 months |
Ensure patches compatibility with existing systems and applications
Reporting
In case of High or Critical severity vulnerabilities Unique reports the vulnerability and its details to partners running Unique on their own environments quarterly upon request
A Client can activate a proactive provision of the report as follows: Reach out to your Customer Success representative and provide them with a secure channel where you wish to receive the reports. Following this, the reports will be dispatched to the secure channel on a quarterly basis.
Deployment
Test patches in test environments or on non-critical systems first
Ensure backups are available before applying patches to production systems
Apply patches during low-usage periods to minimize disruption if disruption is anticipated
Verification
Verify that patches have been successfully applied, that systems are functioning correctly and that vulnerabilities are not exploitable anymore
Author | @Michael Dreher |
|---|
© 2024 Unique AG. All rights reserved. Privacy Policy – Terms of Service