Model | Operations | Environment Management | Patching and Updating
Benefit
Mitigation of well-known issues in third-party components
Activity
Identify applications and third-party components which need to be updated or patched, including underlying operating systems, application servers, and third-party code libraries.
At this level of maturity, your identification and patching activities are best-effort and ad hoc, without a managed process for tracking component versions, available updates, and patch status. However, high-level requirements for patching activities (e.g., testing patches before pushing to production) may exist, and product teams are achieving best-effort compliance with those requirements.
Except for critical security updates (e.g., an exploit for a third-party component has been publicly released), teams leverage maintenance windows established for other purposes to apply component patches. For software developed by the organization, component patches are delivered to customers and organization-managed solutions only as part of feature releases.
Teams share their awareness of available updates, and their experiences with patching, on an ad hoc basis. Ensure teams can determine the versions of all components in use, to evaluate whether their products are affected by a security vulnerability when notified. However, the process for generating and maintaining component lists may require significant analyst effort.
Question
Do you identify and patch vulnerable components?
Quality criteria
You have an up-to-date list of components, including version information |
You regularly review public sources for vulnerabilities related to your components |
Answers
No |
Yes, for some components |
Yes, for at least half of the components |
Yes, for most or all of the components |
Benefit
Consistent and proactive patching of technology stack components
Activity
Develop and follow a well-defined process for managing patches to application components across the technology stacks in use. Ensure processes include regular schedules for applying vendor updates, aligned with vendor update calendars (e.g., Microsoft Patch Tuesday). For software developed by the organization, deliver releases to customers and organization-managed solutions on a regular basis (e.g., monthly), regardless of whether you are including new features.
Create guidance for prioritizing component patching, reflecting your risk tolerance and management objectives. Consider operational factors (e.g., criticality of the application, severity of the vulnerabilities addressed) in determining priorities for testing and applying patches.
In the event receive a notification for a critical vulnerability in a component, while no patch is yet available, triage and handle the situation as a risk management issue (e.g., implement compensating controls, obtain customer risk acceptance, or disable affected applications/features).
Question
Do you follow an established process for updating components of your technology stacks?
Quality criteria
The process includes vendor information for third-party patches |
The process considers external sources to gather information about zero day attacks, and includes appropriate risk mitigation steps |
The process includes guidance for prioritizing component updates |
Answers
No |
Yes, for some components |
Yes, for at least half of the components |
Yes, for most or all of the components |
Benefit
Clear view on component patch state to avoid non-conformities
Activity
Develop and use management dashboards/reports to track compliance with patching processes and SLAs, across the portfolio. Ensure dependency management and application packaging processes can support applying component-level patches at any time, to meet required SLAs.
Treat missed updates as security-related product defects, and manage their triage and correction in accordance with your established Defect Management practice.
Don’t rely on routine notifications from component vendors to learn about vulnerabilities and associated patches. Monitor a variety of external threat intelligence sources, to learn about zero day vulnerabilities; handle those affecting your applications as risk management issues.
Question
Do you regularly evaluate components and review patch level status?
Quality criteria
You update the list with components and versions |
You identify and update missing updates according to existing SLA |
You review and update the process based on feedback from the people who perform patching |
Answers
No |
Yes, for some components |
Yes, for at least half of the components |
Yes, for most or all of the components |
Stream Guidance
- SAMM team guidance Google Doc
- Be the first to add to the Community guidance for this Stream!
Want to contribute?
Complete this Google Form with guidance for this Stream.
To learn more about Stream guidance for the SAMM model, see the Stream guidance page.