Patch management software automates the onerous task of keeping track of all of your organization's software and managing the timely application of updates, taking a lot of the pain out of the patch management process.

Patch management is one of the most important security tasks in any organization because leaving software unpatched means running code with security vulnerabilities, and that means putting your organization at risk of a serious security breach. Not staying up to date on software security patches is linked to a wide range of security issues, including malware targeting Macs and malware in point-of-sale systems.

But unless your company has no more than a handful of servers, PCs and mobile devices, ensuring that all of them are updated with the latest security patches is, in practical terms, impossible. That is where patch management software comes in.

In this article, we answer the questions:

  • Why use patch management software?
  • How does patch management software work?
  • What are patch management software risks?
  • What are desirable features for patch management software?
  • What questions should you ask when shopping for patch management software?
  • What are some patch management products to consider?

Why Use Patch Management Software?

While ensuring that patches are applied in a timely fashion to mitigate security risks is a good reason to use patch management software, it isn't the only reason. Because timely patching may also be a regulatory requirement in your industry, patch management software can be a useful tool for demonstrating your compliance to auditors.

There's also a good argument for freeing up resources. Keeping track of the release of security patches and manually applying them to large numbers of machines is a hugely complex and time-consuming process. Using patch management software to automate this task enables organizations to free up security or IT staff time so they can work on more productive tasks.

How Patch Management Software Works

Most patch management software works in one of two ways -- and some products use both methods.

Some patch management software relies on a local agent installed on each of your company's devices to keep track of the software running on them. This information is sent back to a central server, which collates it and which may initiate updates and distribute patches to endpoints when necessary.

The alternative is an agentless patch management software system which keeps track of every endpoint device and the software running on them by scanning them remotely, as well as initiating and distributing updates.

Agentless systems are more convenient in large, distributed organizations because no agents have to be deployed to new systems. Instead the system can detect and enrol them automatically. Agentless systems also avoid the risk that an agent is removed or disabled by a user (deliberately or by accident) or by a malicious hacker – potentially leaving the endpoint unmonitored and unpatched.

But agent-based systems may be more suitable for organizations with large mobile workforces whose computers may often be offline and therefore invisible to an agentless system. Agents can "check in" as soon as they are back online with the results of their scans on the software that they carried out while offline present on the system. Agents can also be used as relays to help distribute patches in local offices and therefore reduce the load on WAN links.

Patch Management Software Risks

While patch management software is designed to reduce your security risk, ironically it can also introduce new security risks into your organization.

The most basic risk is that the patch management software itself has a vulnerability that can be exploited by malicious hackers, just as the addition of any software increases an organization's attack surface.

As a central distribution point for security patches, there is a risk that patches may be altered or administrator credentials compromised to allow an attacker to cancel updates or carry out other malicious acts. It's also possible that an attacker with access to your network could monitor patch management software traffic to identify machines that are running vulnerable software.

To mitigate against these risks, patch management software must be patched quickly, and it should should verify the integrity of patches by comparing checksums before installation. In addition, patch management software should use encryption when it communicates with endpoints.

Desirable Patch Management Software Features

As all patch management software performs essentially the same function, many of the basic features that monitor installed software and the availability of patches is similar.

Important features that may deserve special scrutiny are:

  • Integration with other security products from the same vendor. Although patch management software is available as a point solution from many vendors, it may also be available as an add-on to existing security management systems. If that's the case, it may be more convenient -- and economic -- to manage this aspect of security through the same management console as the rest of your security systems.
  • Integration with third-party configuration management products. Some patch management software products integrate with systems including Microsoft's System Center Configuration Manager to make it easy to manage patching from a single console.
  • Reporting. If your company operates in a regulated industry, you should ensure that any product you consider can monitor the status of any key software and demonstrate to auditors that all necessary systems are patched promptly and are compliant with relevant regulations.
  • Dashboards. Patch management software is only useful if it can show you the status of all your systems at a glance. Look for products that offer a dashboard showing the patch status of all your systems, so you can easily identify and investigate any systems that are unpatched. Some products also issue alerts by email or SMS when new patches are released.
  • Support for virtual machines. If you operate a virtualized environment, this is obviously a key feature.

This screenshot from ManageEngine's Desktop Central product is an example of what security admins using patch management software might see.


Questions to Ask Patch Management Software Vendors

Here is a good list of questions to ask potential patch management software suppliers:

  • Does it support all the software -- including operating systems - currently in use in your organization as well as any that may be adopted in the foreseeable future?
  • Can it patch plug-ins to browsers and other software?
  • Does it support all your hardware devices?
  • Does it support network devices such as switches, routers, access points and printers?
  • Is support available during the times when you expect to carry out patching?
  • Does it support software running in VMs?
  • Which third-party management systems does it integrate with?
  • Does it provide compliance reports for specific regulations (such as PCI-DSS)?
  • Can it test patches and roll them back when patching leads to unexpected behavior?
  • Does it allow secure remote access for your admins using a web interface, and does it allow multiple concurrent users?

Patch Management Software Products to Consider

The following are some notable patch management software products.

GFI LanGuard

Shavlik Protect

Solarwinds Patch Manager

Autonomic Software Patch and Application Manager for McAfee ePO

Lumension Patch and Remediation

Kaspersky Systems Management

Symantec Client Management Suite

ManageEngine Desktop Central

Quest Kace K1000 (appliance)

Micro Focus Zenworks Patch Management

Kaseya Patch Management

Ecora Patch Manager

DameWare Patch Manager

Flexera Corporate Software Inspector (formerly Secunia CSI)

Cloud Management Suite Patch Manager

Patchsimple (cloud based)

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.