Microsoft and NIST have ongoing research into the behaviours around keeping systems up to date. I’m in the ‘update everything all the time and deal with breakages as they occur’ camp but the more sensible approach for most organisations is to apply patches to a testbed and test against business critical applications before rolling out. What’s your approach?…:
[…] While the discussions mostly went in expected directions, we were surprised at how many challenges organizations had on processes and standards, including:
- “What sort of testing should we actually be doing for patch testing?”
- “How fast should I be patching my systems?”
This articulated need for good reference processes was further validated by observing that a common practice for “testing” a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum.