Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Rolling Review: Automated Patch Management Applications

In a perfect world, vendors would release only secure software and patching would be just a bad memory. Of course, that's about as likely as a cure for the common cold in our lifetimes. In 2006, the CERT Program at Carnegie Mellon's Software Engineering Institute reported upward of 8,000 application vulnerabilities that required software patches—that's 30% more than in 2005. Sure, not all vulnerabilities will be stopped by patching. We're seeing more zero-day attacks than ever, and for too many IT shops, patching still causes a great deal of angst because they lack the tools, processes and resources to implement effectively.

Application Performance Optimization Immersion Center


But that doesn't mean you're excused. No fewer than 14 patch management vendors are making waves and gaining followings. Each product has its strengths and weaknesses, and we're hoping to get most of them into our lab in the near future. We'll also highlight resources, like the listserv, dedicated to discussing security patch management topics across a broad range of operating systems, applications and network devices.

THE INVITATION: For this Rolling Review, we're allowing both desktop and server patch management products and will test each in the appropriate environment, on as many OSes as are supported. We will note when products do not provide wide OS coverage.

We'll evaluate patch management products in our Windward Consulting Group Real-World Labs, judging each on breadth of platforms supported, how well it uses subscription services to discover patches, how thoroughly it discovers our environment, what rollback capabilities are available, testing and staging capabilities prior to production, reporting, and network bandwidth control.

Our test environment will contain a mix of Windows XP desktops, Windows 2003 servers, Linux Red Hat servers and Solaris 10 servers. We will patch antivirus software, operating systems and/or Microsoft Exchange on the server. Our pricing scenario includes 500 Windows desktops, 50 Windows servers, 50 Linux servers, 150 Sun Solaris servers and 25 VMware ESX virtual servers.

We invited 14 companies to participate in our review: BigFix, BladeLogic, BMC Software, CA, Configuresoft, Ecora Software Corp., IBM, Kaseya Corp., LANDesk Software, Lumension Security/PatchLink, Novell, Opsware, Shavlik Technologies, Symantec Corp

Ideally, in larger shops patch management will be just one element of a comprehensive configuration management or software distribution system. Smaller companies can get by with standalone tools but many need several different point products for different types of apps and devices. But however you manage it, automation is critical, as are documenting changes, testing to ensure that patches won't break other apps, and deployment policies to avoid bogging down networks.

What Happens in Redmond...
While the need to patch applications is as old as computing, the volume of Windows updates coupled with Microsoft's market dominance have focused attention on the issue. Since the introduction of Windows 98, Microsoft has looked to automate patching of Windows servers and desktops. Its current incarnation, the Windows Server Update Services, or WSUS, provides a locally managed software update service alternative to the local Microsoft Update system. Using WSUS, IT can automatically distribute patches and updates to clients from a central server.

  • 1