DIY Patch Management

April 09, 2018 00:00

Slides for the talk by @shantycode and @ingobente from BSidesMunich 2018.

Installing software patches is a no brainer when it comes to security. Over the past years, several stories about major flaws have been covered in the media. Those who follow the coverage understand that being up to date with the latest MacOS or Windows patches has become a necessity. For consumer computer it is easily done: click a button, sometimes reboot, and you are good to go.

Yet, when it comes to larger IT infrastructures, promptly patching seems to be a hard problem. Otherwise, recent ransomware attacks that exploit vulnerabilities months after a patch was made available would not have such a great impact that makes everybody go into panic mode.

In this talk, we will tell the story of how we managed to fix our own patch management procedures. What used to be a manual, checklist based and thus inconsistent approach in a heterogenous environment, has now become largely automated. Daily, host-based scans search for software packages with known vulnerabilities. Results are logged to a central ELK stack. Dashboards provide insights for management. The actual patching is done by leveraging unattended-upgrades with some custom code. The result: an IT-infrastructure that keeps itself up-to-date. Bonus: no money was spent on commercial software.



Ingo Bente