Problem solve Get help with specific problems with your technologies, process and projects.

How do I create a repeatable patch testing methodology?

Patch testing is a crucial first step in patch management. Learn how to create a repeatable methodology to improve this process.

I am in the process of creating some kind of repeatable testing methodology that I can use as a test guide or confidence exercise to test patches before deploying them in my customers' live environments. Can you give me some tips that I can use? To what degree should I customize the methodology for each customer?

In my book titled Curing the Patch Management Headache, Chapter 8 is dedicated to testing. The following answer includes some excerpts from that chapter.

Some tips for testing include developing a well-defined testing process. A testing process cannot only minimize time and resources required, but also help minimize the chaotic fallout that might result if required functionality is not accounted for during the testing process, leaving critical production systems that may not operate properly after a patch is deployed.

A high level testing process includes such phases as:

  • Pre-install activities
  • Patch installation
  • Test intended purpose
  • Test primary uses
  • Test secondary uses
  • Testing patch back out
  • Approving deployment

Another tip for testing includes creating a Release Schedule that is based on the Security Priority given to each patch. For example, a patch with a Critical Priority should be implemented within 48 hours with a maximum timeframe of within two weeks. While a Low Priority patch could have a recommended timeframe of one month with a maximum timeframe of two months. Developing a release schedule will assist in ensuring that patches are installed during a required timeframe that is achievable for the organization.

As for customizing the testing methodology, the phases listed above will apply regardless of the organization; however, the procedures may vary from customer to customer depending on their environment, the tool used to deploy the patch, the availability of a lab to conduct testing and the resources that are available to spend the time necessary on preparing the patch for deployment.

Dig Deeper on Cybersecurity risk assessment and management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.