A handful of vendors are developing new ways to help users attack their growing backlogs of security patches.
Marimba Inc. this week will launch its first foray into security patch management with a version of its change management software tailored to the deployment of hot fixes and anti-virus patches. And Microsoft Corp. will soon ship its Systems Management Server 2003 change management tool with a new patch deployment wizard and vulnerability assessment and mitigation reporting.
In addition, ManageSoft Corp. last week introduced a version of its ManageSoft Security Patch Management tool with automatic and selective patch downloads and policy-based deployment.
Marimbas Security Patch Management Solution reduces some time-consuming portions of the process through automation. The tool automates the collection of patch information from software vendor repositories, stages and packages patches for distribution, determines which patches are applicable to the environment using Marimbas inventory and auditing capability, and manages the installation and reboot sequence for targeted machines.
Marimba officials acknowledged that the software does not perform testing of patches in all configurations—something that would be nearly impossible—but the company is looking to find ways to alleviate the testing problem.
Marimbas software does help in providing a clear snapshot of the configurations deployed and in moving settings associated with patches from quality assurance testing to production, according to officials at the Mountain View, Calif., company.
But the fewer configuration variations allowed in the enterprise, the less of a problem testing poses. "We have a global standard, so we only have to test on one standard desktop. If you have a lot of different scenarios to test, it would take a lot longer," said Scotia Miller, a regional manager of desktop architecture at Barclays Global Investors, in San Francisco.
The configuration data gathered by an inventory function can help with targeting, but in the end, users "have to make risk-based decisions—how quickly must a vulnerability be closed versus the fallout from abbreviated testing," said Mark Nicolett, an analyst with Gartner Inc., in Stamford, Conn.
A growing number of enterprises want software distribution and patch management linked in a common infrastructure, according to a recent survey conducted by Enterprise Management Associates Inc., in Boulder, Colo.
Software distribution and change management providers are responding with new variations of their tools. Along with Marimba and Microsoft, Altiris Inc. and Novadigm Inc. have created patch-management-specific versions of their tools.
Discuss this in the eWEEK forum.