But-its not-a-security-patch-LEAD
Katie Bianchi Delivery Lead

Our Thinking Mon 16th October, 2023

Why a patch culture is important

Updates and patching are close to my heart. Having spent over ten years in policing where you are often too late to the party, I’m a huge advocate of the philosophy that prevention is better than cure.  This mindset has followed me into technology so upgrades and patching are always high on my agenda.

A patching culture means starting from a position where application security patches and updates are part of the ethos. But all too often in application level management, people ask me why my team is doing a certain patch because:

  • It isn’t a security issue 
  • It isn’t a security concern that affects us 
  • It’s not a feature we use 

So why do we need patches and updates so often? The answer is operability. Upgrades underpin operability, and when we ignore patches or get them wrong, you can build lots of new features but the underlying security isn’t there. 

If your team has a patching culture then patching becomes an everyday part of the routine. Once you have that, everything falls into place. You can create AMIs and deploy quicker and safer and easier. 

Building a team culture where patches and upgrades are completed regularly and efficiently comes down to three things: drills, pain, and fast action. 

Patching Drills

If you speak to any emergency worker or current/ex military member, they will no doubt have a horror story or two about spending thousands of hours performing drills until they become muscle memory.  The value of doing the important things on a regular basis is well understood.  Drills ensure that team actions are simple, easy and effective, under any conditions.  It’s exactly the same for software!  Making upgrades a routine part of the daily work for all team members means that new engineers are embedded into this culture, and it just makes sense. 

If patching hurts, do it more often

This has to be my favourite of all the continuous delivery principles, and so relevant here.  The reason so many organisations shy away from upgrades and patching is because they can be a nightmare. But if we can make ourselves go through this pain regularly, the whole team will see the value of spending time to improve the process. It will eventually get to the point of not being a huge deal. But you can only get to that point by going through the pain and discomfort, first. 

Patches are better when they’re fast 

We know that small changes are better than big ones.  If your team has a strong patch culture and you’re regularly updating to the latest versions, then there are fewer changes to factor in and understand, when a critical incident or zero day comes in. 

If you are adopting a ‘drill’ mentality then you will have a familiar paved road without the added pressure of worrying about security issues because ‘this is what we do’. Additionally, having gone through the pain of getting to a patch culture means our pain has already been reduced, so we aren’t trying to respond to an incident quickly while surrounded by pain everywhere we turn.  

What does a patch culture mean? 

In summary, where you aren’t currently using AMI’s for your versioning and building on top at provisioning time, there are still things you can do, to be less like pets that are treated for illness and more like cattle that are replaced. 

A patch culture ensures you are working in the safest working environment for everyone. Start with patch often, patch often, patch often. 

Make it clear that upgrades and patches are important to you, your team, and your organisation. Love upgrades.  

Finally, as with all things agile, iterate and improve from where you are now.