Patch management start-ups face pressure from all sides

Pure-play vendors such as Shavlik Technologies, BigFix and PatchLink got off to an early lead in the patch management game, but many established security  vendors are adding patching to their arsenals. This means more choices for users, and it means the pure-play leaders need to adapt quickly to the trend toward multipurpose tools.

While software should be developed with a focus on minimizing security issues in the first place, the reality is that you'll always need to understand what is running in your environment and have the ability to deploy updates quickly and easily.

And the need for patch management grows stronger every day. Virus/worm/Trojan/phishing  technology is only getting more sophisticated, probing for vulnerabilities in e-mail, Web browsers, instant messaging, file sharing and the like.

A company only needs to be brought to its knees once with an infection to understand the importance of patching. Personal firewalls, intrusion prevention , and other mitigating controls can be implemented, but patching is the only way to get to the root of the problem.

The patching landscape

•  First of all, operating system vendors are providing products focused on their individual platforms. Microsoft released Software Update Service (SUS) and has the next-generation Windows Update Services (WUS), in beta (see test). Red Hat has added a patch management offering for its enterprise products, although it is a bit pricey.

Microsoft is quickly gaining ground in this area, especially because its tools are free. As functionality continues to evolve in WUS, some companies are having a hard time justifying the cost of the current pure-play patch management products when they can get similar functionality at no charge.

But most companies are not a one-shop environment, so they are implementing one patch management process for Windows, one for Linux and a third for Solaris. This is not ideal, so many are looking for a patch management solution that provides cross-platform support.

•  Asset/configuration management companies are really taking charge of the patch management arena. They are in the ideal position because they already have agents running on all managed systems and have access to see what is installed and configured. Add some functionality for identifying missing patches, plug that in to the software deployment mechanism, and a new patch management module is born.

Altiris, Configuresoft and LANDesk are a few of the heavy hitters in this area.

•  Vulnerability assessment products also are joining the fray. They can identify missing patches on a system; they just need to add a deployment mechanism. Citadel (see recent test results) already fills this gap, taking assessment results and providing remediation actions. Visionael also has a remediation module for its vulnerability assessment product. At this point, I don't see vulnerability assessment products becoming the primary patch management product in a company, but they will be used mainly as a central point of remediation.