Vulnerability Management and Patch Management Are Not the Same

Vulnerability management and patch management are not products. They are processes, and the products are tools used to enable the process. You cannot buy a hammer, nails and wood and expect them to just become a house, but you can go through the process of building the house or hire someone to do it for you as a service.

Vulnerability management and patch management products are often lumped together and assumed to be part of the same product. While they have a compatible relationship, they are not the same. Vulnerability and patch management products are distinct products with different purposes and goals that are used to support these processes.

Patch management is a process used to update the software, operating systems and applications on an asset in a logical manner. The purpose of a patch management system is to highlight, classify and prioritize any missing patches on an asset. For the purpose of specificity, patches are updates from the vendor; they can contain anything from security fixes to new features. The vendor sets their policy for what can be in a patch, and they should document all changes and additions in a readme file. Not all patches contain security fixes, and not all patches will fix the security issues listed. This is why just having a patch management tool will not make you secure.

Vulnerability management is a process that discovers assets on the network, categorizes the OS and applications on the assets and reports on security vulnerabilities on target systems. The vulnerability management product will scan the asset and report the known vulnerabilities found along with remediation advice. The remediation of a security vulnerability usually involves patching the vulnerable system, but it could also consist of implementing configuration changes, turning off vulnerably services or even blocking exploitation attempts (Read more...)