Patch management is the optimal solution to protect computers against known software flaws for which vendor patches exist. Third-party products that attempt to correct these flaws solely through firewalls, anti-virus software or intrusion-prevention systems alone are not reliable, for several reasons. An operating system or application vendor that releases a patch is the only organization that truly understands the nature and extent of the flaw; thus, it is best suited to supply the solution. Many times the patch corrects more items and avenues for attack than are known outside of the vendor, including knowledge supplied by the person(s) who originally found and reported the flaw. Because the vendor has access to the source code, it can identify each component of the operating system or application that might be affected, and it can update the relevant bits of code to prevent the flaw in each instance.

In some cases, it's not generally known that a patch for one item - say, a Web server flaw - might also correct a flaw in another area of the operating system, such as the desktop shell. In these instances, using an IPS or firewall to correct the Web server flaw might not protect the other vulnerable sections of code. As noted, only the vendor knows the true extent of the flaw, so the vendor is best positioned to fix the flaw.

Patches also contain the latest versions of the affected code. Many times, patches are cumulative, meaning that the latest versions of each file contain all the known security fixes. Applying a patch ensures that you're running the latest version of the vendor code, fixing public and non-public security flaws in the associated code.

As end users, we don't know exactly what was fixed in any given patch; therefore, we can't adequately create alternative solutions. Such solutions run a high risk of hindering intended functionality and/or not completely correcting the flaw through all attack vectors. A patch, on the other hand, is the vendor-supported solution that addresses all aspects of the flaw while maintaining intended functionality. Applying the patch is the only way to ensure 100% remediation against the reported vulnerability.