1

I've been thinking about this lately. are they the same thing? or is the latter has a lot more than just management of patches?

Sajuuk
  • 271
  • 3
  • 11
  • 1
    patches do not always address vulnerabilities, and not all vulnerabilities are resolved by patches - – schroeder Jul 06 '17 at 15:45
  • These are 2 overlapping tasks. Moreover on poor quality softwares, patches fix or improve software functions and introduce new vulnerabilities. This explains why poor quality softwares have a regular number of vulnerabilities every month. – dan Jul 07 '17 at 07:59

3 Answers3

2

To find out the differences let's look at what these types of management actually do first.

Patch Management

Patch management includes the planning, acquiring, testing and installing of changes to a software. This can be any kind of software: operating systems, drivers, application software or firmware on appliances. A patch is not necessarily installed to fix a vulnerability, but it can be. Often times it is provided to fix bugs or to update a software to the newest version. In medium size or big organizations - places where you typically have a patch management - there are special software solutions in use to deploy patches to a big number of systems. To give an example: WSUS is such a software.

Vulnerability Management

Following wikipedia vulnerability management is:

the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", particularly in software.

I want to add, that vulnerabilities are not only found in software, but can also be present in hardware and even in processes or things that are more related to "the physical world", like a door (e.g. a weak lock) or the windows in your office. But a typical vulnerability management will not deal with these things, althouhg it can. This differs from organization to organization.

See also the following definition in ISO 27000:

vulnerability

weakness of an asset or control that can be exploited by one or more threats

Vulnerabilities in software are often eliminated through the installation of a patch. This is why some people say, that vulnerability management is a part of patch management. I wouldn't say so, and here's why: There are sometimes scenarios, where you have to operate systems, that have vulnerabilities that can not be fixed. For example, you have a customer that wants you to run a server with a very old operating system. If the management thinks, this customer is important, you sometimes have no choice, but to accept the presence of these vulnerabilities and might not be able to patch them. You obviously have to install other controls to secure this server somehow. This would be a part of "managing" a vulnerability. (An even simpler example would be: sometimes there is no patch.)

Conclusion

Patch and vulnerability management sound alike but are different. Patch management deals with patches, updates and fixes of software that have to be installed for several different reasons. The rollout of these patches has to be planned beforehand and you need to know which machines need a patch at what time. (If you operate several thousand desktop PCs, this task is a lot harder than it sounds.)

Vulnerability management only deals with security (and sometimes safety) issues of (mostly) software. A lot of the time, these issues can be resolved with a patch, but certainly not always. Vulnerabilities can be present in all kinds of systems and can be eliminated with lots of different strategies. Admins can change the firewall policies, the network setup, buy new hardware, train employees etc. To fix a vulnerability with a patch indefinitely is almost always a very good solution, but it might not be always possible.

Community
  • 1
Tom K.
  • 7,913
  • 3
  • 30
  • 53
0

They overlap a lot, but they're definitely not the same.

I see vulnerability management as a far more important activity - and patching as one of the possible activities to manage the vulnerabilities. In this sense, there is a lot more to vulnerability management than patching (or patch management). Most often, this is managed by security professionals. Often we see vulnerabilities not covered by available patches.

Ideally, patching as an activity should be prioritized based on vulnerabilities that the patches fix. However, at the most basic level of maturity, it tends to be an independent activity carried out by IT admins. In such cases we sometimes see patches that are not related to known vulnerabilities (probably fix defects not related to security - or simply a routine activity).

Sas3
  • 2,638
  • 9
  • 20
0

When you apply patches you hope the patches fix known vulnerabilities in the vendor's product but you are relying on the software vendor to have done vulnerability management of their own product.

But your overall vulnerability management is not just the sum of applying fixes to your organization's software packages. That is part of it but not all of it, and not even most of it.

Vulnerability management is a continuous practice of identifying, classifying, quantifying, and mitigating weaknesses in your organization's IT systems. Software malfunctions are often exploited to gain access to systems, but there are plenty of ways to breach an organization's IT systems without exploiting a software bug.

Thomas Carlisle
  • 809
  • 5
  • 9