- network and cloud infrastructure providers
- <anything>-as-a-service providers
- outsourced IT operations
- in-house IT operations
- individual users
Deployers typically must take some action in response to a vulnerability in a product they've deployed. Most often this means deploying a patch, but it can also involve the application of security controls, such as reconfiguring defensive systems, adding monitoring or detection rules, or applying mitigations.
- Become aware of vulnerability, mitigation, and/or fix.
- Prioritize the mitigation or fix into existing workload (triage).
- Test the mitigation or fix.
- Confirm that the fix addresses the problem.
- Avoid undesirable side effects.
- Identify affected systems and plan the deployment:
- staged or all-at-once
- automated or manual
- scheduled update window or out-of-band
- Deploy the mitigation or fix to affected systems.
We cover each of these in more detail below.
- The system's availability and performance are critical
- Reverting a patch deployment gone bad is difficult
In environments with efficient automated deployment and rollback capabilities, it may not be as necessary to test as heavily. But that's often an ideal scenario that few deployers find themselves in. Staged deployments or rollouts can be a significant help here—where some portion of the affected systems are updated to confirm the fix prior to wider rollout—allowing deployers to balance patch deployment with the risk of negative side effects.