Patch Tuesday Could Form Perfect Storm for Large Companies

A perfect storm of patches can affect the operations inside a company if two or more major vendors choose to push out large patches for their products. Such storms could occur three times in 2020 — on January 14, April 14 and July 14.

DevOps Connect:DevSecOps @ RSAC 2022

Large companies tend to have a complex infrastructure, with software and hardware products from multiple vendors. Keeping those systems up to date is a 24/7 job, and installing patches is part of the routine. But what happens when multiple vendors release patches at the same time? The worst-case scenario is a perfect storm that increases the chances of a conflict, something going wrong, or creating problems with vulnerability disclosure.

The patches vendors release are not always perfect, and the variety of hardware configurations employed in the wild vary from the ones used for testing. It’s quite possible that a patch cripples the computers it’s deployed on. Rolling back the changes is not always an option, and companies suffer when their infrastructure is down.

Organizations invest considerable resources into protecting their infrastructure against malware, ransomware, and other threats. They don’t usually worry that their operations could be disturbed by legitimate patches.

A recent security report underlined that a lot of other vendors hopped on Microsoft’s Patch Tuesday, crowding IT departments everywhere with a vast number of patches. Leaving aside the fact that companies have to deploy patches gradually, there is the problem of vulnerability disclosure.

As it stands, six vendors confirmed plans to release new patches on a specific date (January 14, April 14, and July 14), including Microsoft, Oracle, Adobe, SAP, Siemens, and Schneider Electric. Another seven might jump on board, including big names like Google, Intel, or Apple in the mix.

Each new patch Tuesday comes with a large number of vulnerability disclosures. Even if companies that push out the patch respect the responsible disclosure policy, there’s still a long period between the deployment of a patch for a particular vulnerability and the actual reveal.

Companies need to be aware that more and more patches are generated, and the only solution is to keep the IT department fully staffed and trained to deal with the increase patch volume.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Silviu STAHIE. Read the original post at: