This document is effective from 17/03/16.
New Release – a new version of Fewzion with Security Fixes
Security Fix – a developed code that fixes a particular vulnerability
Windows Patch (Patch) – a self-contained package that contains all the information required to update a Windows application.
Patch Set – a group of Security Fixes
We are not patching our system by individual patch sets, we always deploy the latest version of Fewzion software with all of the necessary Security Fixes by a New Release to ensure that our system is as secure as possible. A New Release is released fortnightly based on Customers’ requests and our vulnerability reports by Acunetix.
Our Windows patching practice is based on Microsoft standards. When new Windows Patches released, we use our Windows Patch Management Process to select and test the necessary patches and we install these to the production servers monthly (usually on the third or fourth Sunday of a month – depends on the testing results).
We announce our New Release deployment via email in two weeks advance to provide time for Customers to contact us with special requests.
New Release Management
We use Octopus Deploy for creating and deploying our New Releases by following the conceptual process of Octopus Deploy (see below).
- The created codes by our developers are sent and stored in GitHub repository (Version Control Server)
- TeamCity (Build Server) creates a package based on our code
- We create a New Release in Octopus Deploy that contains the package and variables.
- We deploy the New Release by Octopus Deploy (see the deployment screen below) using canary deployment method.
The idea of canary deployment is to first deploy the change (New Release) to a test server, where we test it, and then roll the change out to the rest of the servers. The canary deployment serves as an early warning indicator with less impact on downtime: if the canary deployment fails, the rest of the servers aren't impacted.
Windows Patch Management
We use ManageEngine’s Desktop Central to install the necessary and tested Windows patches on our production servers by following our patch management process (See more information in the Windows Patch Management Process section). This ensures that our servers are secured against security vulnerabilities and threats / attacks.
Each release of Fewzion is well documented with the included Security Fixes and changes from the previous version for audit purposes.
Patch Management Cycle
We – in Fewzion – believe that successful patch management process requires prerequisites such as knowing about security and patching in all level of our company, assigning responsibilities to the right people, understanding our current processes and developing a chain of communication.
Thus, we follow an 8 steps patch management cycle:
The assessment phase determinates the inventory (our existing computing assets), assesses security threats and vulnerabilities, determines the best source for information about required software updates for new computer installation and assesses operational effectiveness. Thus, it prepares us to respond to new software updates.
1. Update inventory
By updating our inventory, we gather information about our environment (installed operating systems, software and patches) monthly to meet the recommended specifications for security by enable easy inquiries about available Patches.
The identification phase discovers new software updates from reliable sources such as Microsoft and other vendors that related to our software environment.
2. Search for new patches
We gather information about new patches once per patch cycle for each vendor.
The evaluation phase determines that new updates are relevant to Fewzion by making go/no-go decisions, determines whether an update requires a normal-process or emergency deployment as well as confirms that the update does not compromise business-critical systems and applications.
3. Evaluate new patches
Evaluation of new patches is critical in Fewzion, thus we use a three level evaluation.
- Technical evaluation: we assess whether the updated software will correct a problem with the services and features of the applications.
- Business impact assessment: we determines whether updating or not updating the software will impact our business processes by risk and cost. This assessment also determines the appropriate time for updating software based on scheduling downtime, lengths of downtime, consequences of unplanned downtime, and using the recommended patching timeframe table of Microsoft.
|Severity Rating||Patching Timeframe (after testing)|
|Critical||Within 24 hours|
|Important||Within 1 month|
|Moderate||Within 4 months|
|Low||Within 1 year|
- Security evaluation: we determine whether any security implications were not identified during the technical evaluation. Even though we might not gain performance benefits by applying a patch but there might be security benefits.
4. Make go/no-go decision
By the result of the patch evaluation our technical manager / management team decides the testable patches.
5. Test selected patches
Testing is a critical process in Fewzion. Thus, we perform in-depth testing on our test server to ensure that business-critical systems and applications are working properly after patching. This also verifies that the update files are good and they can be installed and uninstalled correctly.
We use the "canary" deployment method for rolling out releases to a subset of users or servers. The idea is to first deploy the tested patches to one production server, test it, and then roll the patches out to the rest of the servers. The canary deployment serves as an early warning indicator with less impact on downtime: if the canary deployment fails, the rest of the servers aren't impacted.
We always prepare for patch deployment by planning the specific steps, the time required, the proper notification of stakeholders – 1 week in advance, and contingency steps such as back-out plan if something doesn’t proceed as intended. We also use post-implementation review to gather deployment statistics and document them.
6. Deploy new patches
The patches are deployed in an agreed date and time (usually on Sunday between 4:00 PM and 8:00 PM) to minimalize production downtime.
7. Review of deployment
The deployment review provides information about the success of deployment, the need of process improvement to ensure better success in the future, the performance of the patch deployment team and whether any SLAs need to be adjusted or not.
Back to Assessment phase
Our software baseline contains the information required to rebuild a system / deploy a new system to the most current secure state. This contains all of the most current vendor-released patches (provided by Microsoft Baseline Security Analyzer).
8. Update baseline
Updating baseline to have the current documentation of security updates for computer installation.