Commentary: A plethora of patches

By Jan Sundgren, Analyst

Smooth and timely application of security patches has become a major concern for many organizations, and several vendors now offer products specifically for patch management.

These vendors aim to offer better functionality and performance than Microsoft's Software Update Service, and some support other platforms besides Microsoft (or additional Microsoft platforms, like NT). The market uptake of these solutions is just beginning, and this is a dynamic market--new vendors are entering from related markets (for example, configuration management), and many of the products are rapidly improving.

Organizations should consider a couple of major differentiators right off the bat. First, only a few products currently target non-Microsoft platforms, so there's considerably less choice if comprehensive patch management for multiplatform networks is required. Forrester expects this to change as the Microsoft-targeted products extend their capabilities to other platforms.

		Related story Microsoft moves beyond patches Conceding that patching Windows holes as they emerge isn't working, the software giant turns its attention to "securing the perimeter."

On the other hand, agents constitute another piece of software to be installed and managed. Agents are typically small, but installation still entails extra time and effort during deployment, and they may need to be updated or reinstalled occasionally.

Stand-alone patch management products include the following:

• PatchLink Update: This agent-based product is one of the few that cover other platforms (IBM AIX, Linux, Novell Netware and so on) as well as Microsoft. The product consistently gets good reviews, though the installation and management of the agents may be somewhat cumbersome, especially in a multiplatform environment.

• BigFix Enterprise Suite: BigFix is targeted at larger enterprises, and it achieves its scalability with an agent-based approach and features designed to streamline patch deployment across a large network. But BigFix appears to be considerably more expensive than the alternatives.

• St. Bernard Software UpdateExpert: This product is unique in that the latest version (6.1) comes with an optional agent, allowing customers to use agents on some systems and agentless management on others.

• Shavlik HFNetChk Pro: An enterprise version of the product that Microsoft offers at no cost, deploying this scanning-based product is quick and easy, and it gets high marks for its integration with Microsoft applications.

• Gravity Storm Service Pack Manager 2000: This is another scanning-based product that is easy to install, but while its scanning engine is highly rated, its reporting capabilities get less favorable reviews.

• Ecora Patch Manager: Though this product can be purchased as a standalone product, Ecora also offers more general configuration management tools. Like PatchLink Update, this product can manage multiple platforms, but it does not deploy an agent.

Another configuration management vendor that has developed a patch management module is ConfigureSoft, but its Secure Update Manager is not a standalone product, and it does not yet handle non-Microsoft systems. Forrester is also beginning to see the addition of patch management capabilities by systems management vendors like Altiris and LANDesk, and even personal firewall vendors expanding to policy enforcement.

© 2003, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.