Improving Web Application Security: Threats and Countermeasures

If the results of your assessment determine that a patch must be installed, you should test that patch against your system to ensure that no breaking changes are introduced or, if a breaking change is expected, how to work around the change.

Methods for Testing Security Patches

Methods used to test the installation of security patches against your systems include:

• Testing security patches against a test mirror of your live server configuration and scenario . This method allows you to both test the installation offline, without disrupting service, and the freedom to test workarounds if a breaking change is introduced, again without disrupting service.

• Testing the patch on a few select production systems prior to fully deploying the update . If a test network that matches your live configuration is not available, this is the safest method to introduce the security patch. If this method is employed, you must perform a backup prior to installing the update.

Confirming the Installation of a Patch

Before deploying a patch to production servers, confirm that the tested patch has made the appropriate changes on the test servers. Each security bulletin includes the information you need to confirm that the patch has been installed. In each bulletin, the Additional information about this patch section contains the entry Verifying patch installation . It includes registry values, file versions, or similar configuration changes that you can use to verify that the patch is installed.

Uninstalling a Security Patch

If you need to uninstall a patch, use Add/Remove Programs in the Control Panel. If an uninstall routine is not an option for the patch and its installation introduces breaking changes, you must restore your system from backup. Make sure that your testing process also covers the patch uninstall routine.

The security bulletin lists the availability of an uninstall routine in the Additonal information about this patch section.