IT AI Skill

Vulnerability Patching

Manage vulnerability scanning and patch management including automated vulnerability detection, risk-based prioritization, patch testing, deployment scheduling, compliance verification, and patch reporting. Use when scanning for vulnerabilities, managing pa...

Vulnerability Scanning & Patch Management

Automatically detect, prioritize, test, and deploy security patches across all infrastructure with zero downtime.

Automated Vulnerability Scanning

Scan Configuration & Execution

VULNERABILITY SCANNING FRAMEWORK:
══════════════════════════════════

SCAN COVERAGE:
  ┌──────────────────────────┬──────────┬──────────┬───────────┐
  │ Asset Type               │ Count    │ Scan Freq│ Scanner   │
  ├──────────────────────────┼──────────┼──────────┼───────────┤
  │ Linux servers            │ 120      │ Weekly   │ Qualys    │
  │ Windows servers          │ 45       │ Weekly   │ Qualys    │
  │ Containers (K8s pods)    │ 380      │ Daily    │ Trivy     │
  │ Cloud instances (AWS)    │ 85       │ Daily    │ Inspector  │
  │ Cloud instances (Azure)  │ 30       │ Daily    │ Defender  │
  │ Web applications         │ 18       │ Weekly   │ Burp Suite│
  │ Network devices          │ 42       │ Monthly  │ Tenable   │
  │ Endpoints (laptops)      │ 450      │ Weekly   │ CrowdStrike│
  │ SaaS applications        │ 25       │ Monthly  │ Wiz       │
  │ ────────────────────── │ ────── │ ─────── │ ───────── │
  │ TOTAL                   │ 1,195    │          │           │
  └──────────────────────────┴──────────┴──────────┴───────────┘

SCAN CONFIGURATION:
  Vulnerability sources:
    - NVD (National Vulnerability Database) — primary
    - MITRE CVE — comprehensive coverage
    - CIS (Center for Internet Security) benchmarks
    - Cloud provider security advisories (AWS, Azure)
    - Vendor-specific advisories (OS, middleware, applications)
    - Internal vulnerability database (custom findings)
  
  Scan types:
    Authenticated scans: 85% (deeper coverage, accurate results)
    Unauthenticated scans: 15% (external-facing, internet-exposed)
    Agent-based: Endpoints + servers (real-time)
    Agentless: Cloud instances, containers (periodic)
  
  Scan schedules:
    Daily: Cloud instances, containers (low impact, high value)
    Weekly: Servers, endpoints, web applications
    Monthly: Network devices, SaaS applications
    On-demand: Post-incident, pre-audit, new asset onboarding
  
  Scan windows:
    Servers: 2:00 AM - 6:00 AM (off-peak)
    Containers: Continuous (minimal impact)
    Endpoints: 8:00 PM - 12:00 AM (after business hours)
    Cloud: 24/7 (no scheduling impact — agentless)

VULNERABILITY RESULTS (January 2025):
  Total vulnerabilities found: 847
  ┌─────────────────────────┬──────────┬──────────┬──────────┐
  │ Severity                │ Count    │ %        │ Target   │
  ├─────────────────────────┼──────────┼──────────┼──────────┤
  │ Critical (CVSS 9.0-10.0)│ 12       │ 1.4%     │ 0        │
  │ High (CVSS 7.0-8.9)     │ 48       │ 5.7%     │ <10      │
  │ Medium (CVSS 4.0-6.9)   │ 285      │ 33.6%    │ <100     │
  │ Low (CVSS 0.1-3.9)      │ 502      │ 59.3%    │ N/A      │
  │ ───────────────────── │ ────── │ ────── │ ────── │
  │ TOTAL                 │ 847    │ 100%   │          │
  └─────────────────────────┴──────────┴──────────┴──────────┘

  Trend (6 months):
    Critical: 25 → 18 → 15 → 12 (declining) ✓
    High: 85 → 68 → 55 → 48 (declining) ✓
    Medium: 380 → 340 → 310 → 285 (declining) ✓
    Overall: Improving — 30% reduction in 6 months

TOP 10 VULNERABILITIES (by count):
  1. CVE-2024-XXXX (OpenSSL): Medium — 45 instances
  2. CVE-2024-XXXX (Log4j): Low — 38 instances
  3. CVE-2024-XXXX (Linux kernel): High — 12 instances
  4. CVE-2024-XXXX (Nginx): Medium — 35 instances
  5. CVE-2024-XXXX (Python pip): Low — 62 instances
  6. CVE-2024-XXXX (Docker): Medium — 28 instances
  7. CVE-2024-XXXX (Apache): High — 8 instances
  8. CVE-2024-XXXX (Node.js): Low — 95 instances
  9. CVE-2024-XXXX (Ruby): Medium — 18 instances
  10. CVE-2024-XXXX (PostgreSQL): High — 15 instances

Risk-Based Patch Prioritization

Prioritization Framework

RISK-BASED PATCH PRIORITIZATION:
════════════════════════════════

RISK SCORING MODEL:
  Patch Priority Score = CVSS × Exposure × Asset Criticality × Exploitability
  
  Components:
    CVSS score: 0-10 (from NVD)
    Exposure factor:
      Internet-facing: 2.0
      DMZ: 1.5
      Internal (restricted): 1.0
      Internal (general): 0.7
    Asset criticality:
      Production (mission-critical): 2.0
      Production (business-critical): 1.5
      Staging/Development: 0.7
      Test: 0.3
    Exploitability:
      Active exploitation (in the wild): 2.0
      Proof-of-concept available: 1.5
      Theoretical (no exploit): 0.7
      Vendor patch available: 1.0

PRIORITY TIER ASSIGNMENT:
  Tier 0 — EMERGENCY (Score > 25):
    - Patch within 24 hours
    - Bypass testing (if vendor-verified fix)
    - Approval: Security team lead (expedited)
    - Examples: Active RCE exploits, zero-days in production
    - Current: 0 items ✓
  
  Tier 1 — CRITICAL (Score 15-25):
    - Patch within 72 hours
    - Quick staging validation (smoke tests)
    - Approval: Security + IT Operations lead
    - Examples: Critical/high CVEs on internet-facing systems
    - Current: 3 items (being addressed)
  
  Tier 2 — HIGH (Score 8-15):
    - Patch within 1 week
    - Full staging test cycle
    - Approval: Standard change process
    - Examples: High CVEs on internal systems, medium on internet-facing
    - Current: 15 items (scheduled for next patch cycle)
  
  Tier 3 — MEDIUM (Score 3-8):
    - Patch within 2 weeks
    - Standard testing
    - Approval: Standard change process
    - Examples: Medium CVEs on internal systems
    - Current: 85 items (included in monthly cycle)
  
  Tier 4 — LOW (Score < 3):
    - Patch within 30 days (next maintenance window)
    - Minimal testing (low-risk changes)
    - Approval: Automated (pre-approved change)
    - Examples: Low CVEs, non-production
    - Current: 320 items (batched into monthly cycle)

COMPLIANCE DRIVEN PRIORITIZATION:
  Regulatory requirements:
    PCI DSS: Critical patches within 30 days
    SOC 2: All patches within 90 days
    HIPAA: Critical patches within 14 days
    ISO 27001: Patch policy compliance (risk-based)
  
  Compliance calendar:
    Next PCI DSS audit: March 2025
    Next SOC 2 audit: June 2025
    Next ISO 27001 surveillance: September 2025
  
  Pre-audit scan: 2 weeks before each audit
  Remediation target: Zero critical/high findings before audit

Patch Testing & Deployment

Safe Deployment Process

PATCH TESTING PROCESS:
══════════════════════

TEST ENVIRONMENT:
  Staging environment mirrors production (1:1 parity)
    Servers: 20 staging (representing 165 production)
    Containers: 50 staging pods (representing 380 production)
    Applications: All production apps (staging version)
    Database: Production snapshot (anonymized)
  
  Test categories:
    1. Compatibility testing:
       - Application functionality (smoke tests)
       - API endpoints (contract testing)
       - Database connectivity
       - Integration points (third-party services)
       - User authentication (SSO, MFA)
    
    2. Performance testing:
       - CPU/memory utilization (pre vs. post)
       - Response time (API latency)
       - Throughput (requests per second)
       - Resource limits (ulimit, cgroup)
       - Database query performance
    
    3. Security testing:
       - Vulnerability re-scan (verify fix)
       - Configuration drift check
       - Access control validation
       - Encryption verification
       - Logging/monitoring intact
    
    4. Regression testing:
       - Previous patches (no conflict)
       - Known issues (no re-emergence)
       - Feature functionality (no regression)
       - Error handling (no change)

TEST RESULTS (January Patch Cycle):
  Patches tested: 234
  ┌─────────────────────────┬──────────┬──────────┐
  │ Result                  │ Count    │ %        │
  ├─────────────────────────┼──────────┼──────────┤
  │ Pass (no issues)        │ 218      │ 93.2%    │
  │ Minor issues (accept)   │ 12       │ 5.1%     │
  │ Major issues (block)    │ 3        │ 1.3%     │
  │ Not tested (N/A)        │ 1        │ 0.4%     │
  │ ───────────────────── │ ────── │ ────── │
  │ TOTAL                 │ 234    │ 100%   │
  └─────────────────────────┴──────────┴──────────┘

  Blocked patches (3):
    1. Linux kernel 5.15.148 — memory leak in staging (vendor aware)
       Action: Defer to next cycle, monitor fix ETA
    2. Nginx 1.25.4 — config file compatibility issue
       Action: Update config template, retest
    3. Python 3.11.7 — dependency conflict (Django)
       Action: Update Django first, then Python

PATCH DEPLOYMENT PROCESS:
  Maintenance windows:
    Sunday 2:00 AM - 6:00 AM (primary, monthly)
    Wednesday 3:00 AM - 5:00 AM (emergency, as needed)
    Saturday 10:00 PM - 2:00 AM (emergency, critical only)
  
  Deployment strategy:
    1. Canary deployment (5% of servers)
       - Monitor for 30 minutes
       - Check health checks, error rates, performance
       - If issues: Rollback immediately
    
    2. Staged rollout (25% → 50% → 75% → 100%)
       - Each stage: 30-minute monitoring
       - Auto-pause on error threshold (>0.5% error rate)
       - Manual approval between stages
    
    3. Blue-green (critical systems)
       - Deploy to green (new) environment
       - Validate green environment
       - Switch traffic (instant)
       - Rollback: Switch back to blue (instant)
  
  Deployment tools:
    Ansible: Server patching (Linux + Windows)
    Kubernetes: Container image updates (rolling update)
    AWS Systems Manager: Cloud instance patching
    Azure Update Manager: Azure VM patching
    CrowdStrike: Endpoint patching

DEPLOYMENT RESULTS (January Patch Cycle):
  Patches deployed: 215 (of 234 tested, 19 deferred)
  Deployment success rate: 99.5% (214/215)
  Failed deployments: 1 (auto-rollback, no impact)
  Total deployment time: 3.5 hours (target: <4 hours) ✓
  Downtime: 0 minutes (zero downtime achieved) ✓
  Rollbacks: 1 (contained, no user impact)

POST-DEPLOYMENT VERIFICATION:
  Re-scan (post-patch):
    Critical vulnerabilities: 12 → 9 (-3)
    High vulnerabilities: 48 → 36 (-12)
    Medium vulnerabilities: 285 → 260 (-25)
    Verification rate: 96% (patches confirmed)
  
  Monitoring (24-hour post-deployment):
    Error rate: Stable (no increase)
    Performance: Stable (no degradation)
    Availability: 100% (no incidents)
    User impact: None reported
  
  Compliance update:
    PCI DSS patch compliance: 98.5% (target: >95%) ✓
    SOC 2 patch compliance: 96.8% (target: >90%) ✓
    ISO 27001 compliance: Verified

Output

Vulnerability & Patch Dashboard

VULNERABILITY & PATCH DASHBOARD — Jan 2025
═══════════════════════════════════════════

Scan Coverage:
  Total assets: 1,195
  Scan compliance: 99.2% (12 assets deferred — decommissioning)
  Last full scan: Jan 25, 2025
  
Vulnerability Summary:
  Critical: 12 (target: 0 — 3 in progress)
  High: 48 (target: <10 — 15 in progress)
  Medium: 285 (target: <100 — 85 scheduled)
  Low: 502 (low priority, included in cycle)
  Trend: Improving (30% reduction in 6 months)

Patch Management:
  Last cycle: Jan 26, 2025
  Patches deployed: 215
  Success rate: 99.5%
  Downtime: 0 minutes
  Next cycle: Feb 23, 2025 (monthly)
  Emergency patches (YTD): 0
  
Testing:
  Test pass rate: 93.2% (target: >90%) ✓
  Blocked patches: 3 (vendor issues — deferred)
  Avg. test cycle: 1.5 days (target: <2 days) ✓

Compliance:
  PCI DSS: 98.5% (target: >95%) ✓
  SOC 2: 96.8% (target: >90%) ✓
  ISO 27001: Verified
  Next audit prep: March 2025 (PCI DSS — 2 weeks scan)

Actions:
  1. Critical patch deployment (3 — within 72 hours)
  2. Pre-audit scan (Feb 10 — PCI DSS)
  3. Monthly patch cycle (Feb 23)
  4. Scan scope review (new assets added)
  5. Scanner tool review (annual — Q2)

Integration Points

Edge Cases