NIST Revises Software Patch Management Guide for Automated Processes

The National Institute of Standards and Technology (NIST) has published for public comment a revised draft of its guidance for managing computer patches to improve overall system security for large organizations. The previous version, issued as Creating a Patch and Vulnerability Management Program (NIST Special Publication 800-40) was written when such patching was done manually. The guide has been updated for the automated security systems now in use, such as those based on NIST's Security Content Automation Protocol.

A "patch" is a piece of computer code that a software company writes and distributes to fix a problem found in one of its previously released programs. Many patches fix problems related to security—specifically, vulnerabilities in the programs that attackers can exploit. Hackers seek out these vulnerabilities to gain access to a computer and its information, which then can be used to gain access to other vulnerable computers and information. These compromised computers also can be used to attack other computers. To prevent these problems, patches need to be deployed to computer systems quickly to minimize the window of opportunity for attackers.

But computer security professionals cannot necessarily just add the patch because of the disruption this might cause, such as inadvertently breaking other applications, causing computers to reboot during patch installation, or consuming all of a smartphone's monthly data allotment. Professionals need to follow a management process for identifying, acquiring, installing and verifying patches for products and systems. Guide to Enterprise Patch Management Technologies is designed to assist organizations in understanding the basics of patch management technologies. It explains the importance of patch management and examines inherent challenges in performing his function. The guide also provides an overview of enterprise patch management technologies and briefly covers metrics for measuring the technologies' effectiveness and for comparing the relative importance of patches.

The guide provides recommendations that organizations should implement to improve the effectiveness and efficiencies of their enterprise management technologies. Organizations should:

• deploy enterprise patch management tools using a phased approach,
• reduce the risks associated with enterprise patch management tools by applying standard security techniques that should be used when deploying any enterprise-wide application, and
• balance security needs with their usability and availability needs.

The publication was created for security managers, engineers, administrators and others responsible for working with security patches. Auditors who need to assess the security of systems may also find the document valuable.

The draft of Guide to Enterprise Patch Management Technologies, NIST Special Publication 800-40 Revision 3, may be downloaded from http://csrc.nist.gov/publications/drafts/800-40/draft-sp800-40rev3.pdf. Comments on the draft should be submitted by Friday, Oct. 19, 2012, to 800-40comments [at] nist.gov (subject: SP%20800-40%20Comments) (800-40comments[at]nist[dot]gov) with the subject "SP 800-40 Comments."