In my book titled Curing the Patch Management Headache, Chapter 8 is dedicated to testing. The following answer includes some excerpts from that chapter.
Some tips for testing include developing a well-defined testing process. A testing process cannot only minimize time and resources required, but also help minimize the chaotic fallout that might result if required functionality is not accounted for during the testing process, leaving critical production systems that may not operate properly after a patch is deployed.
A high level testing process includes such phases as:
- Pre-install activities
- Patch installation
- Test intended purpose
- Test primary uses
- Test secondary uses
- Testing patch back out
- Approving deployment
Another tip for testing includes creating a Release Schedule that is based on the Security Priority given to each patch. For example, a patch with a Critical Priority should be implemented within 48 hours with a maximum timeframe of within two weeks. While a Low Priority patch could have a recommended timeframe of one month with a maximum timeframe of two months. Developing a release schedule will assist in ensuring that patches are installed during a required timeframe that is achievable for the organization.
As for customizing the testing methodology, the phases listed above will apply regardless of the organization; however, the procedures may vary from customer to customer depending on their environment, the tool used to deploy the patch, the availability of a lab to conduct testing and the resources that are available to spend the time necessary on preparing the patch for deployment.
This was first published in October 2006