7 Open Source Patch Management Software to Bootstrap Your Business
Why do you need patch management software? Patch Management Tips, Tricks, and Hacks
Ever since Microsoft said that outdated software is the preferred entry point for threat actors, patch management has finally gotten the attention it deserves; and for a very good reason. Outdated and unpatched apps are not only useless (i.e. good luck firing up a pdf reader if it’s outdated), but, as I pointed out, they’re like big “Welcome” mats for hackers who would like nothing more than to steal your company’s data. But you already know that and, if you’ve been in business (whatever business) longer than you care to recall, you probably know better than to incur the wrath of your sysadmin. So, for all sysadmins there, burning the midnight oil just to keep your endpoints in tip-top shape, and making sure that none of your precious data leaks out, here’s some open-source patch management software to make your life easier. Sit back, take five, and enjoy. Hope it’s your cup of tea.
Why do you need patch management software?
Short answer: “because it’s the norm and you can’t do without”. Not the answer you were looking for? Allow me then to be more explicit. According to ThreatPost, more than 80% of enterprises have at least one outdated or unpatched application. How much is that in numbers? Well, the same article mentions that last year alone, more than 16,000 patch-related vulnerabilities have been identified. By now, they would have had multiplied exponentially. So, what happens when someone finally decides to deal with this ‘unpatchiness’? Truth be told, it does happen – eventually. The same article suggests that the patching process can take two or even three months. It’s not very hard to imagine what could happen during this time. That would be one of the reasons why you need patch management in your life.
True automation in patch management
The second most important reason is automation; true automation that spells out speed, quality, and scalability. If you’re the type that likes to keep a small family business (i.e. two-three devices), using patch management apps doesn’t make sense. However, the same thing cannot be said about an SMB or an enterprise. We already covered this aspect, so there’s no point in repeating it. To sum everything up, you need patch management software for security reasons, true automation, and because you’re only human. Personally, the real question at hand is: “is it worth it?” It is, but you’ll probably need some convincing. Now, if your company doesn’t have the necessary liquidities to invest in full-fledged patch management software, you can try out one or more of the solutions listed here. As the title suggests, all of them are open-source and can be modified based on your needs and number of endpoints. So, without further ado-ado, here are 7 open-source patch management software you should try out.
7 Best Open-Source Patch Management Software
Let’s get started. Here are some of my favorite software patching tools.
The first item’s on today’s menu is Comodo’s ONE Windows Patch Management, an open-source and free-for-all management tool that allows you to deploy Microsoft Windows updates and patches. Despite its free availability, Comodo’s ONE offers some powerful features. For instance, the tool allows admins to deploy both third-party and Windows updates or patches. Another advantage would be the endpoint discovery tool that helps you identify all the hosts in your network and determine software versions running on those machines.
- Remote patch and update deployment.
- Fully compatible with WSUS and SCCM.
- Powerful reporting features. Sysadmins can figure out versioning, number of endpoints, number of servers, gather OS and machine data, workstations running obsolete software, and more.
- Secure testing environment. Comodo’s ONE allows you to run simulations before the actual deployment of patches or updates. That way, you can evaluate the impact of those updates and/or patches.
- Scheduling options.
- Policy enforcement for enterprise path management.
Pulseway is a hybrid patch management – DNS protection solution. The basic tier is free of charge and can accommodate a small business with a dozen endpoints or so. However, if you want to unlock the full functionality of Pulseway (i.e. deploy it on even more endpoints), you will need to pay. Still, if you’re somewhat unfamiliar with this kind of software, the free version is the way to go. On the patch management side, Pulseway covers both Microsoft Windows and third-party updates and patches, versioning, advanced scheduling, network discovery, collaborative environments, and more. In my opinion, it’s one of the most scalable third party patching tools out there.
Some other features you should look forward to
- Remote patch and update deployment.
- No web-based dashboard. Commands are issued from the terminal. Has a steep learning curve.
- Network discovery features. Helps you identify all endpoints (and devices) connect to the network. Besides, it will show you the software versions and which apps need updating or patching.
- Easy Active Directory. Effortlessly add or remove devices from your network, without having to make modifications to your firewall or policies.
- Disaster recovery and endpoint protection. Pulseway has DNS filtering features, which help you drop malicious packets. File backup can also be automatized.
- Online collaboration. Remote mouse and keystrokes control, navigate between multiple screens, and more.
3) GFI LanGuard
GFI LanGuard is not exactly open-source, but I chose to include it in the list since its 30-day trial gives you access to all of its features. On top of that, it’s very easy to use, compatible with all major operating systems (i.e. Linux, Microsoft Windows, and Mac OS X) and has some pretty impressive vulnerability mitigation features.
Other stuff that recommends GFI LanGuard
- On-demand and automatic network scanning.
- Deployment and installation of Microsoft Windows and third-party updates or patches.
- MDM features. Can help you set up Android and iOS devices. On top of that, GFI LanGuard can aid you in discovering vulnerabilities endemic to mobile devices.
- UX-oriented design. The web-based dashboard simplifies logging and reporting. It also offers granular control over what goes on in your endpoints.
- Identify and auto-downloads missing patches and updates. All updates are downloaded over an SSL connection.
- Fully compatible with all vulnerability assessment standards includes SANS Top 20 and OVAL.
ManageEngine’s Desktop Central is an open-source patch and vulnerability management tool that allows you to deploy Windows updates on the fly, configure firewall & wireless devices, remote-wipe company data, and control USB policies. Desktop Central’s uniqueness is its ability to conduct pre-testing on patches and updates before deploying them in bulk. A very robust software update management system.
Even more features
- Advanced reporting features. The solution periodically generates patching reports. Very helpful for that monthly vulnerability assessment meeting (if you have one, of course).
- Supports both Windows updates/patches and third-party.
- Can help you get rid of unwanted data.
- Thumb drive device management. Desktop Central can help you secure unsigned thumb drives and enforce removable media policies.
The Local Update Publisher works as an extension to Windows’ Software Update Services, allowing system admins to create custom software packages and publish them (after approval) to WSUS. Since this is an extension, Local Update Publisher is free to use. One of the tool’s most useful features is the installation tracker, a widget that lets you keep tabs of the installation process (duh!).
Other features that recommend Local Update Publisher
- Rules generator. The tool allows the system administrator to create patch/update installation rules.
- WSUS and SCCM compatible. Can use a pre-existent WSUS architecture.
- Microsoft and 3rd party updates and patches.
- Update catalogs. You can export and import standardized update catalogs.
- Scanning and testing before approval and deployment. Fully automatic patching flow. First, the package is scanned for malware. The next step involves testing the package in a secure environment. Upon approval, the patch or update is deployed and installed.
It’s not exactly a patch management solution, but it does have some good patching and patching abilities. Action1 is ‘marketed’ as an SMB-oriented endpoint management tool, covering hardware and software inventory, cloud-directed patch deployment & management, MDM, and endpoint security. On top of that, it’s open-source and highly customizable.
Even more features
- Auto and remote boot on patch\update installation.
- Open-source patch management software designed for corporate.
- Software and hardware inventory.
- Advanced reporting. Generate detailed reports regarding network vulnerabilities, updates required, failed installations, and more.
- Force-installation of patches and updates.
Yeah, I know that it sounds like an app for chocolate enthusiasts, it’s actually a very powerful patch management tool, capable of supporting more than 7,000 packages. A word of caution – Chocolatey is not for the weak-hearted, since it uses a SSH command line. So, a very steep learning curve, but, once you get a hang of it, you’ll be able to do some very cool stuff like force-install or uninstall applications, create custom packages and scripts. Even more awesome is the fact that Chocolatey is free of charge.
- Task scheduler.
- Construct automation flows with simple scripts; great patch management smb tool.
- Upgrade or downgrade apps on the fly.
- Commercial plan available.
Simple standalone security solutions are no longer enough.
HEIMDAL™ ENDPOINT PREVENTION
- DETECTION AND CONTROL
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
Patch Management Tips, Tricks, and Hacks
Want to improve your ‘patching’ hygiene? Here are some tips and tricks that will sure to be of some use. a) Every device should be patched. This includes servers, printers, wearables, smartphones, tablets, and everything connected to the company’s network. b) Smoke-test your patches before all-out deployment. Smoke testing is a type of building verification testing, aimed at making sure that the build’s vital features are up and running. There are plenty of open-source smoke tools, some of them being free to use. c) Patching goes hand in hand with endpoint security. Patching is important. However, keeping your endpoints safe against malware that could be hiding update packages is equally important. Heimdal™ Security’s Thor Premium Enterprise will keep all your apps and software up to date while ensuring that not malware sets foot in your endpoints. All the packages are downloaded over a secure communication. On top of that, X-Ploit Resilience, Thor Premium Enterprise’s automatic patching engine, will allow you to deploy custom .msi packages; very useful when you need to update/patch proprietary software.
Patch management software is bound to take the heat off your sysadmins, free up some of their time spent hounding outdated apps. What’s your favorite patch management tool? Hit the comments section and let me know.