The maintenance of software products is a very complex and time-consuming activity in modern data processing systems. Particularly, a very important issue is the management of software patches (or fixes) that are continually published by the vendors of the software products to remedy corresponding problems temporarily. Indeed, problems are invariably found in every software product after it has been formally released (notwithstanding any previous beta-test or tryout distribution); this process is endless since even when the problems have been fixed by the corresponding patches new problems are discovered (if not even introduced by the same patches). The patch management process is very critical for problems that involve security vulnerabilities, which expose the system to malicious attacks, such as by hackers (also because those vulnerabilities are now public).
However, the patch management process is decidedly nontrivial; this is especially true in systems with distributed architecture, wherein several software products are installed on a high number of computers. Indeed, the patches are published very often (particularly for software products to be used on Personal Computers, such as based on the “Windows” platform by Microsoft Corporation); moreover, different patches are available for the same problem (for example, depending on the underlying software platform, on the installation language of the software product, and on the patches already installed). Therefore, the task of an administrator of the system (for maintaining the installed software products at the correct service level) is very complex.
For this purpose, the administrator may exploit software distribution applications that are available for facilitating the deployment of the software products from a central site to multiple target computers (or endpoints); indeed, the patches can be embedded into software packages and then distributed to the endpoints for their installation (as any other software product).
However, in this scenario no specific solution is known in the art for automating the patch management process. Therefore, the administrator herself/himself must trace the state of the different endpoints manually (to have a picture of the software products that are allegedly installed on them); the administrator must then interpret the available information, so as to decide which patches should be installed on which endpoints. Once the patches have been selected, the administrator builds the corresponding software packages (for the different types of software products that are available); the application of those software packages can now be enforced on the desired endpoints.
All of the above requires a series of manual operations by the administrator, which operations have a detrimental impact on the productivity and reliability of the patch management process. Moreover, the installation of the patches on the endpoints is not optimized (for example, the process may involve repeating the same operation more times or performing operations that are not necessary). In any case, it is very difficult to ensure the correct order of application of the patches.
A further drawback of the solutions known in the art is that any reporting of the level of compliance of the endpoints to a predefined security standard must be done manually. Therefore, the process is error prone and the results obtained are quite unreliable.