Answer yes if your organisation produces or receives regular security updates for any applications it develops and hosts, and that it ensures all applications procured from vendors are also supported with regular security patches.
What is the control?
Just like operating systems and other platforms need to be patched to remediate security vulnerabilities, so do applications. This includes applications procured from vendors, applications from public open source projects, and internally developed applications.
Why should I have it?
While OS patching addresses vulnerabilities in the operating system itself, it’s important to realise that vulnerabilities in applications can be just as bad.
In some cases, such vulnerabilities can mean that data that in the application can be accessed to unauthorised third parties, or that the application can be used to otherwise expose information.
In other cases, there is also the risk that the vulnerability can grant an attacker the access the application has to the system itself, which is typically elevated. Even when the application’s privilege is not elevated, the access can still give the attacker a foothold on the system from which they could escalate their level of access using other means.
It’s therefore critical to not limit patching to just operating systems but to patch (and in some cases update) applications whenever security vulnerabilities are disclosed.
Your patching policy should not be limited to operating systems and include all applications in use in your organisation. The actual process is likely to be different for each application so consult your vendor(s) as applicable, and your development team in the case of an in-house developed application.
Note that an important prerequisite to successfully implementing successful application patching processes is to have an asset management process (which tracks software installations) that is accurate, effective, and covers your entire estate.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing an SDLC that includes security best practice in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email email@example.com. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.