Tips to Keep Track of Patches and Updates
It seems like every week some piece of your stack has a security advisory or a new version. While only the critical vulnerabilities or bugs might need immediate installation, inevitably you’ll be juggling dozens of versions, trying to decide which system requires a update and which you’ve already patched.
There are a few official and unofficial places to keep you in the loop on software lifecycle management, and by regularly using them in addition to your own tracking tools or spreadsheets, you can keep your IT environment safe and up-to-date.
Most major vendors put out Security Advisories when a vulnerability is discovered and/or a new patch is released. Keep an eye on the relevant web page — or better yet, sign up for an e-mail notification, if offered — to stay in the loop.
VMware’s security advisory page can be found here, and Microsoft also has one. Some security vendors like Trend Micro have a Security Advisory page that includes a compilation of patches, vulnerability announcements, and more from multiple other companies, all in one place. The United States Computer Emergency Readiness Team (US-CERT) also has a critical alert, vulnerability, and patch release website that covers a variety of commonly-used platforms.
Many of these advisories offer an RSS feed in addition to e-mail alerts, which you can bookmark or add to your aggregate reader.
There are two sides to version tracking: finding which version applied which changes, and keeping a log of which versions are running on your servers.
There are many websites that can help you lookup specific build numbers or patch names for your commonly used software, hypervisors, and operating systems. For example, this ESXi Patch Tracker includes dozens of entries for various versions of VMware ESXi going way back. There are sites for Microsoft products as well as most of your other garden-variety enterprise IT platforms. Check the vendor websites for your software providers to see if they offer a security alert.
You also need to know which of your servers is running which software version so you can stay on top of patches and updates. For a smaller environment, a spreadsheet might work, but can quickly become unwieldy. If it isn’t updated religiously, it also runs the risk of being out of date.
There are software platforms to help with IT asset management and software inventory, like SolarWinds, Git, Mercurial, SVN, Helix VCS, Microsoft Team Foundation Server, Subversion, Rational ClearCase, CVS, and CA Harvest SCM. You may be able to bundle licensing for one along with your existing enterprise software; otherwise choose based on compatibility, featureset, and pricing.
Need to learn about specific features in a new software version? The vendor Knowledge Base should be your first stop. Similar to security alert pages, most large IT software providers have an online Knowledge Base that consists of help articles, support resolution descriptions, and accounts of software updates and changes.
They can help you determine whether new software will be compatible with your existing environment, whether a new feature is worth your while, how to install or rollback updates, and much more.
It can feel overwhelming trying to stay on top of software versions throughout an enterprise IT environment, but by being proactive with your RSS feeds and e-mail notifications, regularly checking in on vendor websites, and some pre-install research, you’ll keep your environment free of vulnerabilities and functioning smoothly.