J003-Content-Shadow-Apps-and-patching_SQIf you calculate the man hours that would be spent manually patching your systems, and consider the risks associated with not patching, you will probably see how automated patch management is an ROI (return on investment) you can’t ignore.

The risk to unpatched systems and the potential cost in downtime and recovery increases exponentially the longer an exploit is publicly known. Automated patch management solutions go hand in hand with your vulnerability management program. They can help to reduce costs as well as narrow the time window that your critical systems are exposed for.

What patch management strategy do you have? What tools do you have in place to help make your life easier? If you have time (and patience!), an open source solution is something you might consider.

Chef and Puppet are two of the most popular automated deployment and configuration management solutions available today.

Chef is an automation framework that allows you to manage system configurations and deploy software. Applications can be deployed to any node in your physical, virtual or cloud based infrastructure that the Chef client can be installed on. Chef works by allowing you to code scripts (aka ‘recipes’) in pure-Ruby domain-specific language (DSL) that are stored in a ‘cookbook’ on a Chef server.


The Chef client calls into the Chef server, downloads configuration data and then executes all associated tasks to bring it in line with what is defined in the ‘cookbook’ (the image above shows an example of a simple Chef ‘recipe’).

Puppet is a cross-platform open source configuration management tool that uses its own declarative language (or a Ruby DSL) to create ‘manifests’ that contain information on the configuration state of a specific resource. These manifests are then applied to target machines.

Ansible is similar to Chef and Puppet but uses an SSH-based agentless model to remotely install packages, copy files, etc. Python 2.6+ is required on the control machine and Python 2.5+ on the client nodes.

OPSI (Open PC Server Integration) is a Linux-based open source client management platform for managing Windows clients. One of its key features is automated software distribution and patch management.

These tools are definitely worth evaluating. With a little thought and some coding, they can all be configured to automatically deploy patches. Like with every patch management strategy, the important thing is to ensure you test your patches first. Additionally, when using one of these open-source solutions, consider downloading the updates from an internal patch repository.

The downside to such tools is that they can require a significant amount of time and effort to learn, test, implement and manage. If you are looking for an out-of-the-box network security scanner and automated patch management solution, you could give GFI’s LanGuard a try.

GFI LanGuard scans for vulnerabilities and its auto-remediate feature automatically downloads and installs missing patches and service packs (as well as software updates for the likes of Adobe Reader, Chrome, and more). The best thing about this product is that it saves you buckets of time, something all sysadmins need more of!