A secure patch management authority

Abstract

Throughout the Software Development Life Cycle, products are maintained, enhanced and periodically patched until they are retired or replaced. It is because of the way in which software is initially deployed that ongoing maintenance becomes a critical element in extending a software product's life cycle. It is the ongoing, incremental development process, and an interactive dependence of system platforms, interoperability requirements, and time-to-market pressures that inadvertently produce software defects. In addition to faults and systematic improvements of product features that are required of software products, security breaches are periodically discovered. The result is the issuing of software patches. These patches have become so frequent that it has become a principle system management issue. A systems administrator who is responsible for security measures needs to track, install said updates, and document their corrective actions. The time between the discovery of a software breach and the resulting patch creates system vulnerability. The time between the issuance of the patch and the resulting install creates system vulnerability. The possible corruption of the patch prior to the delivery phase and/or during delivery creates additional vulnerabilities. The difficulties of identifying, acquiring, and installing patches is further exacerbated by the multitude of software vendors that do not work in tandem, and operate their own patch distribution systems. Patch management systems contain elements of software management, patch generation and accessibility, and delivery mechanisms. Secure patch management systems focus primarily on the secure delivery of the patch. This thesis provides an exploration of patch management models, methods, and systems, and seeks to identify the underlying processes of secure patch management systems. What is proposed and detailed is a Secure Patch Management Authority architecture as one possible solution to improving the time between patch issuance and installation. This authority will work with patch originators to provide timely notification of new patches, facilitate the distribution of said patches in a secure manner, and provide patch implementation confirmation and error reporting back to the patch originators. A critical component of this architecture is a new cryptographic algorithm that provides integrity verification and error control triangulation in the transport of the patches.