Categories
Application Security IT Security Outsourced IT

Patching and Updating

What is Patching and Updating?

Patch management is the process of distributing and applying updates to software and the operating system that address security vulnerabilities within products and programs. Areas that commonly need patches include operating systems, applications, and embedded systems, such as network equipment. The following is the process used for creating software patches:

  • The developer makes changes to the outputs of a project by editing files available in a version control system, which tracks changes to the document and source code over time
  • The developer ensures that the patch complies with the documentation and coding standards of the project
  • The developer thoroughly tests the changes against any test suites provided by the project
  • The developer clearly documents details about what the patch is intended to do, how to implement it, and how to use it
  • Finally, the patch is created using the appropriate development environment and it is submitted to the appropriate entity for evaluation

The patch will be reviewed through the following steps1:

  1. Patch value is evaluated
  2. Feedback is provided and changes are made, if necessary
  3. Patch is experimentally applied
  4. Test suites are run against changed code
  5. Problems are reported to the developer and changes are made, if necessary
  6. Patch is committed to the version control system

Once a patch is committed, it is available in the public version control system, which results in an automated notification to the developer community where community members can review the contribution. When software updates are available for users, vendors usually put them on their websites to download2. Some software will automatically check for updates, and many vendors offer the option for users to receive updates automatically. CISA recommends taking the option to receive automatic updates, if that option is available. CISA provides the following recommended best practices for software updates:

  • Do not use unsupported end-of-life software, which is software that is no longer receiving support or updates from the vendor
  • Always visit vendor sites directly rather than clicking on email links or ads
  • Do not perform software updates while using untrusted networks such as those in airports, coffee shops, hotels, etc.
  • Enable automatic software updating to ensure software updates are installed as quickly as possible

1 Gardler, 2013, “What Is A Software Patch?”

2 CISA, 2021, “Security Tip (ST04-006): Understanding Patches and Software Updates”