Patch Management

• By Scott Bekker
• June 26, 2006

Microsoft may have overhauled its patch management infrastructure in the last few years, but third party vendors are still finding plenty to do. Since ENTmag last visited patch management in a special report in 2004, the myriad patch management vendors have been busy. A roundup of activity over the last six months:

Earlier this month, Scottsdale, Ariz.-based PatchLink announced plans to release an Enterprise Reporting Server 3.0 worldwide in the third quarter of this year. Dubbed ERS, the product integrates with PatchLink's flagship product, PatchLink Update. The reporting server is designed to provide enterprise-wide data on vulnerabilities and remediation for security monitoring and IT compliance.

The product reinforces a trend noted by IDC analyst Charles J. Kolodgy. "Vendors have created or are moving to integrate vulnerability assessment with security management to provide enterprises with a comprehensive risk capability," Kolodgy noted in a recent report on the worldwide security and vulnerability management software market, in which IDC includes patch management products.

In the category of useful press releases, PatchLink put out a best practices list for preparing for Microsoft Patch Tuesday. The list, released in March, offers 20 best practices separated into four time periods – laying the ground work; a week before Patch Tuesday; on Patch Tuesday; and after Patch Tuesday. View the list here.

In late April, St. Paul, Minn.-based Shavlik Technologies LLC made its new Shavlik NetChk Analyzer product generally available. The agentless, command-line tool performs patch scanning for Microsoft and non-Microsoft products not scanned for in Microsoft's own tool, MBSA 1.2.1, according to Shavlik. Extra products the Shavlik tool scans for include Adobe Reader, Firefox, Real Player and WinZip. Further, Shavlik touts the ease of upgrading from MBSA 1.2.1 to NetChk Analyzer.

Another vendor traveling down the road of diversified patch management for heterogeneous enterprise environments -- a healthy move as Microsoft's own tools become more sophisticated -- is Portsmouth, N.H.-based Ecora.

"While Microsoft's patch problems get all the attention, it's easy to forget that it's not the only vendor releasing patches to address critical security vulnerabilities,” Alex Bakman, founder and CEO of Ecora, said in a statement announcing the March availability of Ecora Patch Manager v5. The product is focused on providing a simple way to deploy third-party patches, complicated software development kits and scripts, Bakman says.

New infrastructural features of Ecora's v5 product include wake-on-LAN and a capability to send patches over HTTP to patch through firewalls and DMZ environments.

BigFix, of Emeryville, Calif., continued its move toward generalized software management with the late spring release of BigFix Enterprise Suite 6.0. In addition to the company's traditional patch management and distribution products, BigFix is going much deeper into software deployment, compliance reporting and asset tracking.

"In many of our customers, security functions are moving into operations, driven by compliance imperatives and the need to insure the security of their networks against the background of more threats targeting more entry-points in the enterprise," Gregory Toto, vice president, product management at BigFix, said in a statement. "To help them improve the effectiveness and efficiency of their IT operations, we continue to expand BigFix security and configuration management capabilities delivered on the single-agent BigFix platform."

Late last year, St. Bernard Software, of San Diego, released its latest patching product, called UpdateEXPERT Premium. Key features include policy-based patching and wake-on-LAN capability. Designed for small to medium-sized businesses, the pricing allows one to 50 workstations to be supported on a one-year subscription of $840.