There is depressingly little that can be done to mitigate the negative impact of security patches, but there are steps IT managers can take to avoid problems in the first place.
The cardinal rule is to test patches before rolling them out.
The best way to avoid patching problems, however, is to not need a patch in the first place. eWeek Labs advises against default operating system installs—with their proclivity for installing everything but the kitchen sink—for this reason. Instead, install as little of every product as possible, particularly on server systems.
Trickier is determining when not to apply a newly released patch. This decision requires careful risk assessment, as well as the ability to extrapolate how a security bug could be exploited.
For example, if a hole requires a particular network protocol, and that protocol is blocked by a firewall, updating could be postponed until the next service pack or scheduled downtime.
Vendors—especially Microsoft Corp.—are making it increasingly difficult to apply discrete patches; rather, they are bundling old patches with new fixes for an all-in-one install. When you do have the option, though, choose to apply only needed patches individually. This provides a much greater degree of control.
Finally, open-source packages provide a huge advantage when it comes to patching because security fixes can be applied to older applications by IT staff indefinitely.
West Coast Technical Director Timothy Dyck can be reached at firstname.lastname@example.org.